diff options
| author | Patrick McHardy <kaber@trash.net> | 2010-08-03 17:21:18 +0200 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2010-08-03 17:21:18 +0200 |
| commit | a653f2936c56bfc541f13a7888484d5ae21c057a (patch) | |
| tree | 6cd810640b26d9c3c330c4538424edbcc5570285 | |
| parent | d8b511ed36f00280dd141e59c08874c7fb116504 (diff) | |
| parent | 422342e47c18e70757231f2210b13df8e1f5931c (diff) | |
Merge branch 'iptables-next'
113 files changed, 1444 insertions, 468 deletions
diff --git a/configure.ac b/configure.ac index a0a9cdad..3b26f548 100644 --- a/configure.ac +++ b/configure.ac @@ -52,12 +52,18 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH], [Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]), [pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig']) -AC_CHECK_HEADER([linux/dccp.h]) - blacklist_modules=""; + +AC_CHECK_HEADER([linux/dccp.h]) if test "$ac_cv_header_linux_dccp_h" != "yes"; then blacklist_modules="$blacklist_modules dccp"; fi; + +AC_CHECK_HEADER([linux/ip_vs.h]) +if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then + blacklist_modules="$blacklist_modules ipvs"; +fi; + AC_SUBST([blacklist_modules]) AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"]) diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c index bff06111..eeab0c93 100644 --- a/extensions/libip6t_HL.c +++ b/extensions/libip6t_HL.c @@ -6,6 +6,7 @@ */ #include <getopt.h> +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -131,10 +132,10 @@ static void HL_print(const void *ip, const struct xt_entry_target *target, } static const struct option HL_opts[] = { - { "hl-set", 1, NULL, '1' }, - { "hl-dec", 1, NULL, '2' }, - { "hl-inc", 1, NULL, '3' }, - { .name = NULL } + {.name = "hl-set", .has_arg = true, .val = '1'}, + {.name = "hl-dec", .has_arg = true, .val = '2'}, + {.name = "hl-inc", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct xtables_target hl_tg6_reg = { diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c index 423d9884..727ce6a3 100644 --- a/extensions/libip6t_LOG.c +++ b/extensions/libip6t_LOG.c @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add LOG support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -25,17 +26,19 @@ static void LOG_help(void) " --log-tcp-sequence Log TCP sequence numbers.\n" " --log-tcp-options Log TCP options.\n" " --log-ip-options Log IP options.\n" -" --log-uid Log UID owning the local socket.\n"); +" --log-uid Log UID owning the local socket.\n" +" --log-macdecode Decode MAC addresses and protocol.\n"); } static const struct option LOG_opts[] = { - { .name = "log-level", .has_arg = 1, .val = '!' }, - { .name = "log-prefix", .has_arg = 1, .val = '#' }, - { .name = "log-tcp-sequence", .has_arg = 0, .val = '1' }, - { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, - { .name = "log-ip-options", .has_arg = 0, .val = '3' }, - { .name = "log-uid", .has_arg = 0, .val = '4' }, - { .name = NULL } + {.name = "log-level", .has_arg = true, .val = '!'}, + {.name = "log-prefix", .has_arg = true, .val = '#'}, + {.name = "log-tcp-sequence", .has_arg = false, .val = '1'}, + {.name = "log-tcp-options", .has_arg = false, .val = '2'}, + {.name = "log-ip-options", .has_arg = false, .val = '3'}, + {.name = "log-uid", .has_arg = false, .val = '4'}, + {.name = "log-macdecode", .has_arg = false, .val = '5'}, + XT_GETOPT_TABLEEND, }; static void LOG_init(struct xt_entry_target *t) @@ -96,6 +99,7 @@ parse_level(const char *level) #define IP6T_LOG_OPT_TCPOPT 0x08 #define IP6T_LOG_OPT_IPOPT 0x10 #define IP6T_LOG_OPT_UID 0x20 +#define IP6T_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -179,6 +183,15 @@ static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, *flags |= IP6T_LOG_OPT_UID; break; + case '5': + if (*flags & IP6T_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specify --log-macdecode twice"); + + loginfo->logflags |= IP6T_LOG_MACDECODE; + *flags |= IP6T_LOG_OPT_MACDECODE; + break; + default: return 0; } @@ -213,6 +226,8 @@ static void LOG_print(const void *ip, const struct xt_entry_target *target, printf("ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IP6T_LOG_MASK)) printf("unknown-flags "); } @@ -240,6 +255,8 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target) printf("--log-ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg6_reg = { diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c index b8195d7f..94d26942 100644 --- a/extensions/libip6t_REJECT.c +++ b/extensions/libip6t_REJECT.c @@ -5,6 +5,7 @@ * ported to IPv6 by Harald Welte <laforge@gnumonks.org> * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -61,8 +62,8 @@ static void REJECT_help(void) } static const struct option REJECT_opts[] = { - { "reject-with", 1, NULL, '1' }, - { .name = NULL } + {.name = "reject-with", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void REJECT_init(struct xt_entry_target *t) diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c index 285704c0..41c53853 100644 --- a/extensions/libip6t_ah.c +++ b/extensions/libip6t_ah.c @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add AH support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -18,10 +19,10 @@ static void ah_help(void) } static const struct option ah_opts[] = { - { .name = "ahspi", .has_arg = 1, .val = '1' }, - { .name = "ahlen", .has_arg = 1, .val = '2' }, - { .name = "ahres", .has_arg = 0, .val = '3' }, - { .name = NULL } + {.name = "ahspi", .has_arg = true, .val = '1'}, + {.name = "ahlen", .has_arg = true, .val = '2'}, + {.name = "ahres", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static u_int32_t diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c index 72df6ad0..9e4875ee 100644 --- a/extensions/libip6t_dst.c +++ b/extensions/libip6t_dst.c @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add Dst header support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -22,10 +23,10 @@ IP6T_OPTS_OPTSNR); } static const struct option dst_opts[] = { - { .name = "dst-len", .has_arg = 1, .val = '1' }, - { .name = "dst-opts", .has_arg = 1, .val = '2' }, - { .name = "dst-not-strict", .has_arg = 1, .val = '3' }, - { .name = NULL } + {.name = "dst-len", .has_arg = true, .val = '1'}, + {.name = "dst-opts", .has_arg = true, .val = '2'}, + {.name = "dst-not-strict", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static u_int32_t diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c index 5a280cc1..dd23cda6 100644 --- a/extensions/libip6t_frag.c +++ b/extensions/libip6t_frag.c @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add Fragmentation header support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,13 +22,13 @@ static void frag_help(void) } static const struct option frag_opts[] = { - { .name = "fragid", .has_arg = 1, .val = '1' }, - { .name = "fraglen", .has_arg = 1, .val = '2' }, - { .name = "fragres", .has_arg = 0, .val = '3' }, - { .name = "fragfirst", .has_arg = 0, .val = '4' }, - { .name = "fragmore", .has_arg = 0, .val = '5' }, - { .name = "fraglast", .has_arg = 0, .val = '6' }, - { .name = NULL } + {.name = "fragid", .has_arg = true, .val = '1'}, + {.name = "fraglen", .has_arg = true, .val = '2'}, + {.name = "fragres", .has_arg = false, .val = '3'}, + {.name = "fragfirst", .has_arg = false, .val = '4'}, + {.name = "fragmore", .has_arg = false, .val = '5'}, + {.name = "fraglast", .has_arg = false, .val = '6'}, + XT_GETOPT_TABLEEND, }; static u_int32_t diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c index 520ec9ed..cddd615f 100644 --- a/extensions/libip6t_hbh.c +++ b/extensions/libip6t_hbh.c @@ -25,10 +25,10 @@ IP6T_OPTS_OPTSNR); } static const struct option hbh_opts[] = { - { "hbh-len", 1, NULL, '1' }, - { "hbh-opts", 1, NULL, '2' }, - { "hbh-not-strict", 1, NULL, '3' }, - { .name = NULL } + {.name = "hbh-len", .has_arg = true, .val = '1'}, + {.name = "hbh-opts", .has_arg = true, .val = '2'}, + {.name = "hbh-not-strict", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static u_int32_t diff --git a/extensions/libip6t_hl.c b/extensions/libip6t_hl.c index 09589b19..6e58250c 100644 --- a/extensions/libip6t_hl.c +++ b/extensions/libip6t_hl.c @@ -5,7 +5,7 @@ * This program is released under the terms of GNU GPL * Cleanups by Stephane Ouellette <ouellettes@videotron.ca> */ - +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -116,11 +116,11 @@ static void hl_save(const void *ip, const struct xt_entry_match *match) } static const struct option hl_opts[] = { - { .name = "hl", .has_arg = 1, .val = '2' }, - { .name = "hl-eq", .has_arg = 1, .val = '2' }, - { .name = "hl-lt", .has_arg = 1, .val = '3' }, - { .name = "hl-gt", .has_arg = 1, .val = '4' }, - { .name = NULL } + {.name = "hl", .has_arg = true, .val = '2'}, + {.name = "hl-eq", .has_arg = true, .val = '2'}, + {.name = "hl-lt", .has_arg = true, .val = '3'}, + {.name = "hl-gt", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static struct xtables_match hl_mt6_reg = { diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c index fb321b3b..b8a6ec92 100644 --- a/extensions/libip6t_icmp6.c +++ b/extensions/libip6t_icmp6.c @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add ICMP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -84,8 +85,8 @@ static void icmp6_help(void) } static const struct option icmp6_opts[] = { - { "icmpv6-type", 1, NULL, '1' }, - { .name = NULL } + {.name = "icmpv6-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c index af1f5ef6..d6ce248c 100644 --- a/extensions/libip6t_ipv6header.c +++ b/extensions/libip6t_ipv6header.c @@ -6,6 +6,7 @@ on whether they contain certain headers */ #include <getopt.h> #include <xtables.h> +#include <stdbool.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> @@ -140,9 +141,9 @@ static void ipv6header_help(void) } static const struct option ipv6header_opts[] = { - { "header", 1, NULL, '1' }, - { "soft", 0, NULL, '2' }, - { .name = NULL } + {.name = "header", .has_arg = true, .val = '1'}, + {.name = "soft", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void ipv6header_init(struct xt_entry_match *m) diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c index 95cd65d1..54dd8c68 100644 --- a/extensions/libip6t_mh.c +++ b/extensions/libip6t_mh.c @@ -11,6 +11,7 @@ * * Based on libip6t_{icmpv6,udp}.c */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -216,8 +217,8 @@ static void mh_save(const void *ip, const struct xt_entry_match *match) } static const struct option mh_opts[] = { - { "mh-type", 1, NULL, '1' }, - { .name = NULL } + {.name = "mh-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static struct xtables_match mh_mt6_reg = { diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c index a04023df..f1a50eb8 100644 --- a/extensions/libip6t_rt.c +++ b/extensions/libip6t_rt.c @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add Routing header support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -28,13 +29,13 @@ IP6T_RT_HOPS); } static const struct option rt_opts[] = { - { "rt-type", 1, NULL, '1' }, - { "rt-segsleft", 1, NULL, '2' }, - { "rt-len", 1, NULL, '3' }, - { "rt-0-res", 0, NULL, '4' }, - { "rt-0-addrs", 1, NULL, '5' }, - { "rt-0-not-strict", 0, NULL, '6' }, - { .name = NULL } + {.name = "rt-type", .has_arg = true, .val = '1'}, + {.name = "rt-segsleft", .has_arg = true, .val = '2'}, + {.name = "rt-len", .has_arg = true, .val = '3'}, + {.name = "rt-0-res", .has_arg = false, .val = '4'}, + {.name = "rt-0-addrs", .has_arg = true, .val = '5'}, + {.name = "rt-0-not-strict", .has_arg = false, .val = '6'}, + XT_GETOPT_TABLEEND, }; static u_int32_t diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c index 279aacff..492eefc3 100644 --- a/extensions/libipt_CLUSTERIP.c +++ b/extensions/libipt_CLUSTERIP.c @@ -3,6 +3,7 @@ * * Development of this code was funded by SuSE AG, http://www.suse.com/ */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -41,13 +42,13 @@ static void CLUSTERIP_help(void) #define PARAM_HASHINIT 0x0020 static const struct option CLUSTERIP_opts[] = { - { "new", 0, NULL, '1' }, - { "hashmode", 1, NULL, '2' }, - { "clustermac", 1, NULL, '3' }, - { "total-nodes", 1, NULL, '4' }, - { "local-node", 1, NULL, '5' }, - { "hash-init", 1, NULL, '6' }, - { .name = NULL } + {.name = "new", .has_arg = false, .val = '1'}, + {.name = "hashmode", .has_arg = true, .val = '2'}, + {.name = "clustermac", .has_arg = true, .val = '3'}, + {.name = "total-nodes", .has_arg = true, .val = '4'}, + {.name = "local-node", .has_arg = true, .val = '5'}, + {.name = "hash-init", .has_arg = true, .val = '6'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c index 57c5888b..7afe241a 100644 --- a/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add destination-NAT support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -31,10 +32,10 @@ static void DNAT_help(void) } static const struct option DNAT_opts[] = { - { "to-destination", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { "persistent", 0, NULL, '3' }, - { .name = NULL } + {.name = "to-destination", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + {.name = "persistent", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct ipt_natinfo * diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c index bf1f8a5a..75ea0114 100644 --- a/extensions/libipt_ECN.c +++ b/extensions/libipt_ECN.c @@ -8,6 +8,7 @@ * * $Id$ */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -32,11 +33,11 @@ static void ECN_help(void) static const struct option ECN_opts[] = { - { "ecn-tcp-remove", 0, NULL, 'F' }, - { "ecn-tcp-cwr", 1, NULL, 'G' }, - { "ecn-tcp-ece", 1, NULL, 'H' }, - { "ecn-ip-ect", 1, NULL, '9' }, - { .name = NULL } + {.name = "ecn-tcp-remove", .has_arg = false, .val = 'F'}, + {.name = "ecn-tcp-cwr", .has_arg = true, .val = 'G'}, + {.name = "ecn-tcp-ece", .has_arg = true, .val = 'H'}, + {.name = "ecn-ip-ect", .has_arg = true, .val = '9'}, + XT_GETOPT_TABLEEND, }; static int ECN_parse(int c, char **argv, int invert, unsigned int *flags, diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c index 9afb91d6..0c412717 100644 --- a/extensions/libipt_LOG.c +++ b/extensions/libipt_LOG.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add LOG support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -25,17 +26,19 @@ static void LOG_help(void) " --log-tcp-sequence Log TCP sequence numbers.\n\n" " --log-tcp-options Log TCP options.\n\n" " --log-ip-options Log IP options.\n\n" -" --log-uid Log UID owning the local socket.\n\n"); +" --log-uid Log UID owning the local socket.\n\n" +" --log-macdecode Decode MAC addresses and protocol.\n\n"); } static const struct option LOG_opts[] = { - { .name = "log-level", .has_arg = 1, .val = '!' }, - { .name = "log-prefix", .has_arg = 1, .val = '#' }, - { .name = "log-tcp-sequence", .has_arg = 0, .val = '1' }, - { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, - { .name = "log-ip-options", .has_arg = 0, .val = '3' }, - { .name = "log-uid", .has_arg = 0, .val = '4' }, - { .name = NULL } + {.name = "log-level", .has_arg = true, .val = '!'}, + {.name = "log-prefix", .has_arg = true, .val = '#'}, + {.name = "log-tcp-sequence", .has_arg = false, .val = '1'}, + {.name = "log-tcp-options", .has_arg = false, .val = '2'}, + {.name = "log-ip-options", .has_arg = false, .val = '3'}, + {.name = "log-uid", .has_arg = false, .val = '4'}, + {.name = "log-macdecode", .has_arg = false, .val = '5'}, + XT_GETOPT_TABLEEND, }; static void LOG_init(struct xt_entry_target *t) @@ -96,6 +99,7 @@ parse_level(const char *level) #define IPT_LOG_OPT_TCPOPT 0x08 #define IPT_LOG_OPT_IPOPT 0x10 #define IPT_LOG_OPT_UID 0x20 +#define IPT_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -179,6 +183,14 @@ static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, *flags |= IPT_LOG_OPT_UID; break; + case '5': + if (*flags & IPT_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specifiy --log-macdecode twice"); + + loginfo->logflags |= IPT_LOG_MACDECODE; + *flags |= IPT_LOG_OPT_MACDECODE; + break; default: return 0; } @@ -213,6 +225,8 @@ static void LOG_print(const void *ip, const struct xt_entry_target *target, printf("ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IPT_LOG_MASK)) printf("unknown-flags "); } @@ -242,6 +256,8 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target) printf("--log-ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg_reg = { diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c index 3386ff34..b6bbd605 100644 --- a/extensions/libipt_MASQUERADE.c +++ b/extensions/libipt_MASQUERADE.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add masquerade support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -20,9 +21,9 @@ static void MASQUERADE_help(void) } static const struct option MASQUERADE_opts[] = { - { "to-ports", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { .name = NULL } + {.name = "to-ports", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void MASQUERADE_init(struct xt_entry_target *t) diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c index b05022b0..09262baa 100644 --- a/extensions/libipt_NETMAP.c +++ b/extensions/libipt_NETMAP.c @@ -1,7 +1,7 @@ /* Shared library add-on to iptables to add static NAT support. Author: Svenning Soerensen <svenning@post5.tele.dk> */ - +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -13,8 +13,8 @@ #define MODULENAME "NETMAP" static const struct option NETMAP_opts[] = { - { "to", 1, NULL, '1' }, - { .name = NULL } + {.name = "to", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void NETMAP_help(void) diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c index 324d0ebf..940603a9 100644 --- a/extensions/libipt_REDIRECT.c +++ b/extensions/libipt_REDIRECT.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add redirect support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -22,9 +23,9 @@ static void REDIRECT_help(void) } static const struct option REDIRECT_opts[] = { - { "to-ports", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { .name = NULL } + {.name = "to-ports", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void REDIRECT_init(struct xt_entry_target *t) diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c index 85d9e53f..8c08dd0c 100644 --- a/extensions/libipt_REJECT.c +++ b/extensions/libipt_REJECT.c @@ -2,6 +2,7 @@ * * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -76,8 +77,8 @@ static void REJECT_help(void) } static const struct option REJECT_opts[] = { - { "reject-with", 1, NULL, '1' }, - { .name = NULL } + {.name = "reject-with", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void REJECT_init(struct xt_entry_target *t) diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c index ed02ef95..5fb1b5b2 100644 --- a/extensions/libipt_SAME.c +++ b/extensions/libipt_SAME.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add simple non load-balancing SNAT support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -25,10 +26,10 @@ static void SAME_help(void) } static const struct option SAME_opts[] = { - { "to", 1, NULL, '1' }, - { "nodst", 0, NULL, '2'}, - { "random", 0, NULL, '3' }, - { .name = NULL } + {.name = "to", .has_arg = true, .val = '1'}, + {.name = "nodst", .has_arg = false, .val = '2'}, + {.name = "random", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static void SAME_init(struct xt_entry_target *t) diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c index f7c93d81..1075c793 100644 --- a/extensions/libipt_SNAT.c +++ b/extensions/libipt_SNAT.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add source-NAT support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -31,10 +32,10 @@ static void SNAT_help(void) } static const struct option SNAT_opts[] = { - { "to-source", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { "persistent", 0, NULL, '3' }, - { .name = NULL } + {.name = "to-source", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + {.name = "persistent", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct ipt_natinfo * diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c index 4db9bbe9..2e0c2338 100644 --- a/extensions/libipt_TTL.c +++ b/extensions/libipt_TTL.c @@ -5,6 +5,7 @@ * * This program is distributed under the terms of GNU GPL */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -131,10 +132,10 @@ static void TTL_print(const void *ip, const struct xt_entry_target *target, } static const struct option TTL_opts[] = { - { "ttl-set", 1, NULL, '1' }, - { "ttl-dec", 1, NULL, '2' }, - { "ttl-inc", 1, NULL, '3' }, - { .name = NULL } + {.name = "ttl-set", .has_arg = true, .val = '1'}, + {.name = "ttl-dec", .has_arg = true, .val = '2'}, + {.name = "ttl-inc", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct xtables_target ttl_tg_reg = { diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c index 4d009b75..46928c34 100644 --- a/extensions/libipt_ULOG.c +++ b/extensions/libipt_ULOG.c @@ -9,6 +9,7 @@ * * libipt_ULOG.c,v 1.7 2001/01/30 11:55:02 laforge Exp */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -42,11 +43,11 @@ static void ULOG_help(void) } static const struct option ULOG_opts[] = { - {"ulog-nlgroup", 1, NULL, '!'}, - {"ulog-prefix", 1, NULL, '#'}, - {"ulog-cprange", 1, NULL, 'A'}, - {"ulog-qthreshold", 1, NULL, 'B'}, - { .name = NULL } + {.name = "ulog-nlgroup", .has_arg = true, .val = '!'}, + {.name = "ulog-prefix", .has_arg = true, .val = '#'}, + {.name = "ulog-cprange", .has_arg = true, .val = 'A'}, + {.name = "ulog-qthreshold", .has_arg = true, .val = 'B'}, + XT_GETOPT_TABLEEND, }; static void ULOG_init(struct xt_entry_target *t) diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c index ad63dcf7..9391b4e6 100644 --- a/extensions/libipt_addrtype.c +++ b/extensions/libipt_addrtype.c @@ -1,7 +1,7 @@ /* Shared library add-on to iptables to add addrtype matching support * * This program is released under the terms of GNU GPL */ - +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -304,23 +304,23 @@ static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match) } static const struct option addrtype_opts[] = { - { "src-type", 1, NULL, '1' }, - { "dst-type", 1, NULL, '2' }, - { .name = NULL } + {.name = "src-type", .has_arg = true, .val = '1'}, + {.name = "dst-type", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, }; static const struct option addrtype_opts_v0[] = { - { "src-type", 1, NULL, '1' }, - { "dst-type", 1, NULL, '2' }, - { .name = NULL } + {.name = "src-type", .has_arg = true, .val = '1'}, + {.name = "dst-type", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, }; static const struct option addrtype_opts_v1[] = { - { "src-type", 1, NULL, '1' }, - { "dst-type", 1, NULL, '2' }, - { "limit-iface-in", 0, NULL, '3' }, - { "limit-iface-out", 0, NULL, '4' }, - { .name = NULL } + {.name = "src-type", .has_arg = true, .val = '1'}, + {.name = "dst-type", .has_arg = true, .val = '2'}, + {.name = "limit-iface-in", .has_arg = false, .val = '3'}, + {.name = "limit-iface-out", .has_arg = false, .val = '4'}, + XT_GETOPT_TABLEEND, }; static struct xtables_match addrtype_mt_reg[] = { diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c index 170cd8b9..58ed6d15 100644 --- a/extensions/libipt_ah.c +++ b/extensions/libipt_ah.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add AH support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -17,8 +18,8 @@ static void ah_help(void) } static const struct option ah_opts[] = { - { "ahspi", 1, NULL, '1' }, - { .name = NULL } + {.name = "ahspi", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int32_t diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c index ec3ff2da..3f1fc3bd 100644 --- a/extensions/libipt_ecn.c +++ b/extensions/libipt_ecn.c @@ -7,6 +7,7 @@ * libipt_ecn.c borrowed heavily from libipt_dscp.c * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -25,10 +26,10 @@ static void ecn_help(void) } static const struct option ecn_opts[] = { - { .name = "ecn-tcp-cwr", .has_arg = 0, .val = 'F' }, - { .name = "ecn-tcp-ece", .has_arg = 0, .val = 'G' }, - { .name = "ecn-ip-ect", .has_arg = 1, .val = 'H' }, - { .name = NULL } + {.name = "ecn-tcp-cwr", .has_arg = false, .val = 'F'}, + {.name = "ecn-tcp-ece", .has_arg = false, .val = 'G'}, + {.name = "ecn-ip-ect", .has_arg = true, .val = 'H'}, + XT_GETOPT_TABLEEND, }; static int ecn_parse(int c, char **argv, int invert, unsigned int *flags, diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c index 37b2fdcd..28985b94 100644 --- a/extensions/libipt_icmp.c +++ b/extensions/libipt_icmp.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add ICMP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -108,8 +109,8 @@ static void icmp_help(void) } static const struct option icmp_opts[] = { - { "icmp-type", 1, NULL, '1' }, - { .name = NULL } + {.name = "icmp-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c index cd4b324b..1d485464 100644 --- a/extensions/libipt_realm.c +++ b/extensions/libipt_realm.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add realm matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -23,8 +24,8 @@ static void realm_help(void) } static const struct option realm_opts[] = { - { "realm", 1, NULL, '1' }, - { .name = NULL } + {.name = "realm", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; struct realmname { diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c index e2fbcd5b..34d0f235 100644 --- a/extensions/libipt_ttl.c +++ b/extensions/libipt_ttl.c @@ -4,7 +4,7 @@ * $Id$ * * This program is released under the terms of GNU GPL */ - +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -139,11 +139,11 @@ static void ttl_save(const void *ip, const struct xt_entry_match *match) } static const struct option ttl_opts[] = { - { "ttl", 1, NULL, '2' }, - { "ttl-eq", 1, NULL, '2'}, - { "ttl-lt", 1, NULL, '3'}, - { "ttl-gt", 1, NULL, '4'}, - { .name = NULL } + {.name = "ttl", .has_arg = true, .val = '2'}, + {.name = "ttl-eq", .has_arg = true, .val = '2'}, + {.name = "ttl-lt", .has_arg = true, .val = '3'}, + {.name = "ttl-gt", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static struct xtables_match ttl_mt_reg = { diff --git a/extensions/libxt_CHECKSUM.c b/extensions/libxt_CHECKSUM.c new file mode 100644 index 00000000..101a54ca --- /dev/null +++ b/extensions/libxt_CHECKSUM.c @@ -0,0 +1,97 @@ +/* Shared library add-on to xtables for CHECKSUM + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2010 by Red Hat, Inc + * Author: Michael S. Tsirkin <mst@redhat.com> + * + * This program is distributed under the terms of GNU GPL v2, 1991 + * + * libxt_CHECKSUM.c borrowed some bits from libipt_ECN.c + */ +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> + +#include <xtables.h> +#include <linux/netfilter/xt_CHECKSUM.h> + +static void CHECKSUM_help(void) +{ + printf( +"CHECKSUM target options\n" +" --checksum-fill Fill in packet checksum.\n"); +} + +static const struct option CHECKSUM_opts[] = { + {.name = "checksum-fill", .has_arg = false, .val = 'F'}, + XT_GETOPT_TABLEEND, +}; + +static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_CHECKSUM_info *einfo + = (struct xt_CHECKSUM_info *)(*target)->data; + + switch (c) { + case 'F': + xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill", + *flags & XT_CHECKSUM_OP_FILL); + einfo->operation = XT_CHECKSUM_OP_FILL; + *flags |= XT_CHECKSUM_OP_FILL; + break; + default: + return 0; + } + + return 1; +} + +static void CHECKSUM_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "CHECKSUM target: Parameter --checksum-fill is required"); +} + +static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + printf("CHECKSUM "); + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("fill "); +} + +static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("--checksum-fill "); +} + +static struct xtables_target checksum_tg_reg = { + .name = "CHECKSUM", + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .help = CHECKSUM_help, + .parse = CHECKSUM_parse, + .final_check = CHECKSUM_check, + .print = CHECKSUM_print, + .save = CHECKSUM_save, + .extra_opts = CHECKSUM_opts, +}; + +void _init(void) +{ + xtables_register_target(&checksum_tg_reg); +} diff --git a/extensions/libxt_CHECKSUM.man b/extensions/libxt_CHECKSUM.man new file mode 100644 index 00000000..92ae700f --- /dev/null +++ b/extensions/libxt_CHECKSUM.man @@ -0,0 +1,8 @@ +This target allows to selectively work around broken/old applications. +It can only be used in the mangle table. +.TP +\fB\-\-checksum\-fill\fP +Compute and fill in the checksum in a packet that lacks a checksum. +This is particularly useful, if you need to work around old applications +such as dhcp clients, that do not work well with checksum offloads, +but don't want to disable checksum offload in your device. diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c index 82b8f4e0..ab5127c3 100644 --- a/extensions/libxt_CLASSIFY.c +++ b/extensions/libxt_CLASSIFY.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add CLASSIFY target support. */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -19,8 +20,8 @@ CLASSIFY_help(void) } static const struct option CLASSIFY_opts[] = { - { "set-class", 1, NULL, '1' }, - { .name = NULL } + {.name = "set-class", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int CLASSIFY_string_to_priority(const char *s, unsigned int *p) diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c index 6aba5f3c..67728775 100644 --- a/extensions/libxt_CONNMARK.c +++ b/extensions/libxt_CONNMARK.c @@ -19,6 +19,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -49,11 +50,11 @@ static void CONNMARK_help(void) } static const struct option CONNMARK_opts[] = { - { "set-mark", 1, NULL, '1' }, - { "save-mark", 0, NULL, '2' }, - { "restore-mark", 0, NULL, '3' }, - { "mask", 1, NULL, '4' }, - { .name = NULL } + {.name = "set-mark", .has_arg = true, .val = '1'}, + {.name = "save-mark", .has_arg = false, .val = '2'}, + {.name = "restore-mark", .has_arg = false, .val = '3'}, + {.name = "mask", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static const struct option connmark_tg_opts[] = { @@ -67,7 +68,7 @@ static const struct option connmark_tg_opts[] = { {.name = "ctmask", .has_arg = true, .val = 'c'}, {.name = "nfmask", .has_arg = true, .val = 'n'}, {.name = "mask", .has_arg = true, .val = 'm'}, - {.name = NULL}, + XT_GETOPT_TABLEEND, }; static void connmark_tg_help(void) diff --git a/extensions/libxt_CONNMARK.man b/extensions/libxt_CONNMARK.man index 13c6b4bd..93179239 100644 --- a/extensions/libxt_CONNMARK.man +++ b/extensions/libxt_CONNMARK.man @@ -2,7 +2,7 @@ This module sets the netfilter mark value associated with a connection. The mark is 32 bits wide. .TP \fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zero out the bits given by \fImask\fR and XOR \fIvalue\fR into the ctmark. +Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark. .TP \fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] Copy the packet mark (nfmark) to the connection mark (ctmark) using the given @@ -10,18 +10,18 @@ masks. The new nfmark value is determined as follows: .IP ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) .IP -i.e. \fIctmask\fR defines what bits to clear and \fInfmask\fR what bits of the -nfmark to XOR into the ctmark. \fIctmask\fR and \fInfmask\fR default to +i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the +nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to 0xFFFFFFFF. .TP \fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: .IP -nfmark = (nfmark & ~\fInfmask\fR) ^ (ctmark & \fIctmask\fR); +nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP); .IP -i.e. \fInfmask\fR defines what bits to clear and \fIctmask\fR what bits of the -ctmark to XOR into the nfmark. \fIctmask\fR and \fInfmask\fR default to +i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the +ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to 0xFFFFFFFF. .IP \fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table. @@ -29,16 +29,16 @@ ctmark to XOR into the nfmark. \fIctmask\fR and \fInfmask\fR default to The following mnemonics are available for \fB\-\-set\-xmark\fP: .TP \fB\-\-and\-mark\fP \fIbits\fP -Binary AND the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark -0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.) +Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) .TP \fB\-\-or\-mark\fP \fIbits\fP -Binary OR the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/\fR\fIbits\fR.) +Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/\fP\fIbits\fP.) .TP \fB\-\-xor\-mark\fP \fIbits\fP -Binary XOR the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/0\fR.) +Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/0\fP.) .TP \fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] Set the connection mark. If a mask is specified then only those bits set in the @@ -50,4 +50,4 @@ copied. .TP \fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP] Copy the ctmark to the nfmark. If a mask is specified, only those bits are -copied. This is only valid in the \fBmangle\fR table. +copied. This is only valid in the \fBmangle\fP table. diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c index d95339f3..8df23639 100644 --- a/extensions/libxt_CONNSECMARK.c +++ b/extensions/libxt_CONNSECMARK.c @@ -5,6 +5,7 @@ * * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -23,9 +24,9 @@ static void CONNSECMARK_help(void) } static const struct option CONNSECMARK_opts[] = { - { "save", 0, NULL, '1' }, - { "restore", 0, NULL, '2' }, - { .name = NULL } + {.name = "save", .has_arg = false, .val = '1'}, + {.name = "restore", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c index 6be6ea05..8952b757 100644 --- a/extensions/libxt_CT.c +++ b/extensions/libxt_CT.c @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -28,12 +29,12 @@ enum ct_options { }; static const struct option ct_opts[] = { - { "notrack", 0, NULL, CT_OPT_NOTRACK }, - { "helper", 1, NULL, CT_OPT_HELPER }, - { "ctevents", 1, NULL, CT_OPT_CTEVENTS }, - { "expevents", 1, NULL, CT_OPT_EXPEVENTS }, - { "zone", 1, NULL, CT_OPT_ZONE }, - { .name = NULL }, + {.name = "notrack", .has_arg = false, .val = CT_OPT_NOTRACK}, + {.name = "helper", .has_arg = true, .val = CT_OPT_HELPER}, + {.name = "ctevents", .has_arg = true, .val = CT_OPT_CTEVENTS}, + {.name = "expevents", .has_arg = true, .val = CT_OPT_EXPEVENTS}, + {.name = "zone", .has_arg = true, .val = CT_OPT_ZONE}, + XT_GETOPT_TABLEEND, }; struct event_tbl { diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c index 82ac10c3..9a698248 100644 --- a/extensions/libxt_DSCP.c +++ b/extensions/libxt_DSCP.c @@ -9,6 +9,7 @@ * * --set-class added by Iain Barnes */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -38,9 +39,9 @@ static void DSCP_help(void) } static const struct option DSCP_opts[] = { - { "set-dscp", 1, NULL, 'F' }, - { "set-dscp-class", 1, NULL, 'G' }, - { .name = NULL } + {.name = "set-dscp", .has_arg = true, .val = 'F'}, + {.name = "set-dscp-class", .has_arg = true, .val = 'G'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_IDLETIMER.c b/extensions/libxt_IDLETIMER.c new file mode 100644 index 00000000..12573a4f --- /dev/null +++ b/extensions/libxt_IDLETIMER.c @@ -0,0 +1,138 @@ +/* + * Shared library add-on for iptables to add IDLETIMER support. + * + * Copyright (C) 2010 Nokia Corporation. All rights reserved. + * + * Contact: Luciano Coelho <luciano.coelho@nokia.com> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + */ +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <stddef.h> + +#include <xtables.h> +#include <linux/netfilter/xt_IDLETIMER.h> + +enum { + IDLETIMER_TG_OPT_TIMEOUT = 1 << 0, + IDLETIMER_TG_OPT_LABEL = 1 << 1, +}; + +static const struct option idletimer_tg_opts[] = { + {.name = "timeout", .has_arg = true, .val = 't'}, + {.name = "label", .has_arg = true, .val = 'l'}, + XT_GETOPT_TABLEEND, +}; + +static void idletimer_tg_help(void) +{ + printf( +"IDLETIMER target options:\n" +" --timeout time Timeout until the notification is sent (in seconds)\n" +" --label string Unique rule identifier\n" +"\n"); +} + +static int idletimer_tg_parse(int c, char **argv, int invert, + unsigned int *flags, + const void *entry, + struct xt_entry_target **target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *)(*target)->data; + + switch (c) { + case 't': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--timeout", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + info->timeout = atoi(optarg); + *flags |= IDLETIMER_TG_OPT_TIMEOUT; + break; + + case 'l': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--label", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + if (strlen(optarg) > MAX_IDLETIMER_LABEL_SIZE - 1) + xtables_param_act(XTF_BAD_VALUE, "IDLETIMER", "--label", + optarg); + + strcpy(info->label, optarg); + *flags |= IDLETIMER_TG_OPT_LABEL; + break; + + default: + return false; + } + + return true; +} + +static void idletimer_tg_final_check(unsigned int flags) +{ + if (!(flags & IDLETIMER_TG_OPT_TIMEOUT)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--timeout parameter required"); + if (!(flags & IDLETIMER_TG_OPT_LABEL)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--label parameter required"); +} + +static void idletimer_tg_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("timeout:%u ", info->timeout); + printf("label:%s ", info->label); +} + +static void idletimer_tg_save(const void *ip, + const struct xt_entry_target *target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("--timeout %u ", info->timeout); + printf("--label %s ", info->label); +} + +static struct xtables_target idletimer_tg_reg = { + .family = NFPROTO_UNSPEC, + .name = "IDLETIMER", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct idletimer_tg_info)), + .userspacesize = offsetof(struct idletimer_tg_info, timer), + .help = idletimer_tg_help, + .parse = idletimer_tg_parse, + .final_check = idletimer_tg_final_check, + .print = idletimer_tg_print, + .save = idletimer_tg_save, + .extra_opts = idletimer_tg_opts, +}; + +static __attribute__((constructor)) void idletimer_tg_ldr(void) +{ + xtables_register_target(&idletimer_tg_reg); +} diff --git a/extensions/libxt_IDLETIMER.man b/extensions/libxt_IDLETIMER.man new file mode 100644 index 00000000..e3c91cea --- /dev/null +++ b/extensions/libxt_IDLETIMER.man @@ -0,0 +1,20 @@ +This target can be used to identify when interfaces have been idle for a +certain period of time. Timers are identified by labels and are created when +a rule is set with a new label. The rules also take a timeout value (in +seconds) as an option. If more than one rule uses the same timer label, the +timer will be restarted whenever any of the rules get a hit. One entry for +each timer is created in sysfs. This attribute contains the timer remaining +for the timer to expire. The attributes are located under the xt_idletimer +class: +.PP +/sys/class/xt_idletimer/timers/<label> +.PP +When the timer expires, the target module sends a sysfs notification to the +userspace, which can then decide what to do (eg. disconnect to save power). +.TP +\fB\-\-timeout\fP \fIamount\fP +This is the time in seconds that will trigger the notification. +.TP +\fB\-\-label\fP \fIstring\fP +This is a unique identifier for the timer. The maximum length for the +label string is 27 characters. diff --git a/extensions/libxt_LED.c b/extensions/libxt_LED.c index af0e091e..ca1b6ed4 100644 --- a/extensions/libxt_LED.c +++ b/extensions/libxt_LED.c @@ -9,7 +9,7 @@ * published by the Free Software Foundation. * */ - +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -24,7 +24,7 @@ static const struct option LED_opts[] = { {.name = "led-trigger-id", .has_arg = true, .val = 'i'}, {.name = "led-delay", .has_arg = true, .val = 'd'}, {.name = "led-always-blink", .has_arg = false, .val = 'a'}, - {.name = NULL}, + XT_GETOPT_TABLEEND, }; static void LED_help(void) diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c index dbfc7c0c..39996d0a 100644 --- a/extensions/libxt_MARK.c +++ b/extensions/libxt_MARK.c @@ -40,10 +40,10 @@ static void MARK_help(void) } static const struct option MARK_opts[] = { - { "set-mark", 1, NULL, '1' }, - { "and-mark", 1, NULL, '2' }, - { "or-mark", 1, NULL, '3' }, - { .name = NULL } + {.name = "set-mark", .has_arg = true, .val = '1'}, + {.name = "and-mark", .has_arg = true, .val = '2'}, + {.name = "or-mark", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static const struct option mark_tg_opts[] = { @@ -52,7 +52,7 @@ static const struct option mark_tg_opts[] = { {.name = "and-mark", .has_arg = true, .val = '&'}, {.name = "or-mark", .has_arg = true, .val = '|'}, {.name = "xor-mark", .has_arg = true, .val = '^'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void mark_tg_help(void) diff --git a/extensions/libxt_MARK.man b/extensions/libxt_MARK.man index aaeceb4a..712fb76f 100644 --- a/extensions/libxt_MARK.man +++ b/extensions/libxt_MARK.man @@ -5,23 +5,23 @@ PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide. .TP \fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the packet -mark ("nfmark"). If \fImask\fR is omitted, 0xFFFFFFFF is assumed. +Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet +mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed. .TP \fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zeroes out the bits given by \fImask\fR and ORs \fIvalue\fR into the packet -mark. If \fImask\fR is omitted, 0xFFFFFFFF is assumed. +Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet +mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed. .PP The following mnemonics are available: .TP \fB\-\-and\-mark\fP \fIbits\fP -Binary AND the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark -0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.) +Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) .TP \fB\-\-or\-mark\fP \fIbits\fP -Binary OR the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/\fR\fIbits\fR.) +Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/\fP\fIbits\fP.) .TP \fB\-\-xor\-mark\fP \fIbits\fP -Binary XOR the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/0\fR.) +Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/0\fP.) diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c index e2185d5a..2cf279ad 100644 --- a/extensions/libxt_NFLOG.c +++ b/extensions/libxt_NFLOG.c @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -15,11 +16,11 @@ enum { }; static const struct option NFLOG_opts[] = { - { "nflog-group", 1, NULL, NFLOG_GROUP }, - { "nflog-prefix", 1, NULL, NFLOG_PREFIX }, - { "nflog-range", 1, NULL, NFLOG_RANGE }, - { "nflog-threshold", 1, NULL, NFLOG_THRESHOLD }, - { .name = NULL } + {.name = "nflog-group", .has_arg = true, .val = NFLOG_GROUP}, + {.name = "nflog-prefix", .has_arg = true, .val = NFLOG_PREFIX}, + {.name = "nflog-range", .has_arg = true, .val = NFLOG_RANGE}, + {.name = "nflog-threshold", .has_arg = true, .val = NFLOG_THRESHOLD}, + XT_GETOPT_TABLEEND, }; static void NFLOG_help(void) diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c index 2d9d98ab..e412153a 100644 --- a/extensions/libxt_NFQUEUE.c +++ b/extensions/libxt_NFQUEUE.c @@ -5,6 +5,7 @@ * This program is distributed under the terms of GNU GPL v2, 1991 * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -31,9 +32,9 @@ static void NFQUEUE_help_v1(void) } static const struct option NFQUEUE_opts[] = { - { "queue-num", 1, NULL, 'F' }, - { "queue-balance", 1, NULL, 'B' }, - { .name = NULL } + {.name = "queue-num", .has_arg = true, .val = 'F'}, + {.name = "queue-balance", .has_arg = true, .val = 'B'}, + XT_GETOPT_TABLEEND, }; static void exit_badqueue(const char *s) diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c index 4b7831ff..d89f8184 100644 --- a/extensions/libxt_RATEEST.c +++ b/extensions/libxt_RATEEST.c @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -31,10 +32,10 @@ enum RATEEST_options { }; static const struct option RATEEST_opts[] = { - { "rateest-name", 1, NULL, RATEEST_OPT_NAME }, - { "rateest-interval", 1, NULL, RATEEST_OPT_INTERVAL }, - { "rateest-ewmalog", 1, NULL, RATEEST_OPT_EWMALOG }, - { .name = NULL }, + {.name = "rateest-name", .has_arg = true, .val = RATEEST_OPT_NAME}, + {.name = "rateest-interval", .has_arg = true, .val = RATEEST_OPT_INTERVAL}, + {.name = "rateest-ewmalog", .has_arg = true, .val = RATEEST_OPT_EWMALOG}, + XT_GETOPT_TABLEEND, }; /* Copied from iproute */ diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c index 2152b6fc..9e231eee 100644 --- a/extensions/libxt_SECMARK.c +++ b/extensions/libxt_SECMARK.c @@ -5,6 +5,7 @@ * * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -22,8 +23,8 @@ static void SECMARK_help(void) } static const struct option SECMARK_opts[] = { - { "selctx", 1, NULL, '1' }, - { .name = NULL } + {.name = "selctx", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int SECMARK_parse(int c, char **argv, int invert, unsigned int *flags, diff --git a/extensions/libxt_SET.c b/extensions/libxt_SET.c index f6386a9e..c05811e6 100644 --- a/extensions/libxt_SET.c +++ b/extensions/libxt_SET.c @@ -9,6 +9,7 @@ */ /* Shared library add-on to iptables to add IP set mangling target. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -32,9 +33,9 @@ set_target_help(void) } static const struct option set_target_opts[] = { - { .name = "add-set", .has_arg = true, .val = '1'}, - { .name = "del-set", .has_arg = true, .val = '2'}, - { .name = NULL } + {.name = "add-set", .has_arg = true, .val = '1'}, + {.name = "del-set", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_TCPMSS.c b/extensions/libxt_TCPMSS.c index ac9e2d0d..b24789a2 100644 --- a/extensions/libxt_TCPMSS.c +++ b/extensions/libxt_TCPMSS.c @@ -2,6 +2,7 @@ * * Copyright (c) 2000 Marc Boucher */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -36,9 +37,9 @@ static void TCPMSS_help6(void) } static const struct option TCPMSS_opts[] = { - { "set-mss", 1, NULL, '1' }, - { "clamp-mss-to-pmtu", 0, NULL, '2' }, - { .name = NULL } + {.name = "set-mss", .has_arg = true, .val = '1'}, + {.name = "clamp-mss-to-pmtu", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static int __TCPMSS_parse(int c, char **argv, int invert, unsigned int *flags, diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c index a063d0d9..66ab46d2 100644 --- a/extensions/libxt_TCPOPTSTRIP.c +++ b/extensions/libxt_TCPOPTSTRIP.c @@ -28,7 +28,7 @@ struct tcp_optionmap { static const struct option tcpoptstrip_tg_opts[] = { {.name = "strip-options", .has_arg = true, .val = 's'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct tcp_optionmap tcp_optionmap[] = { @@ -38,7 +38,7 @@ static const struct tcp_optionmap tcp_optionmap[] = { {"sack", "Selective ACK", TCPOPT_SACK}, {"timestamp", "Timestamp", TCPOPT_TIMESTAMP}, {"md5", "MD5 signature", TCPOPT_MD5SIG}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void tcpoptstrip_tg_help(void) diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c index dc60cc08..9575c050 100644 --- a/extensions/libxt_TOS.c +++ b/extensions/libxt_TOS.c @@ -5,6 +5,7 @@ * Contact: Jan Engelhardt <jengelh@computergmbh.de> */ #include <getopt.h> +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -24,7 +25,7 @@ enum { static const struct option tos_tg_opts_v0[] = { {.name = "set-tos", .has_arg = true, .val = '='}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option tos_tg_opts[] = { @@ -32,7 +33,7 @@ static const struct option tos_tg_opts[] = { {.name = "and-tos", .has_arg = true, .val = '&'}, {.name = "or-tos", .has_arg = true, .val = '|'}, {.name = "xor-tos", .has_arg = true, .val = '^'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void tos_tg_help_v0(void) diff --git a/extensions/libxt_TOS.man b/extensions/libxt_TOS.man index d5cbfcb8..46f67379 100644 --- a/extensions/libxt_TOS.man +++ b/extensions/libxt_TOS.man @@ -1,11 +1,11 @@ This module sets the Type of Service field in the IPv4 header (including the "precedence" bits) or the Priority field in the IPv6 header. Note that TOS shares the same bits as DSCP and ECN. The TOS target is only valid in the -\fBmangle\fR table. +\fBmangle\fP table. .TP \fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the -TOS/Priority field. If \fImask\fR is omitted, 0xFF is assumed. +Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the +TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed. .TP \fB\-\-set\-tos\fP \fIsymbol\fP You can specify a symbolic name when using the TOS target for IPv4. It implies @@ -15,13 +15,13 @@ iptables with \fB\-j TOS \-h\fP. The following mnemonics are available: .TP \fB\-\-and\-tos\fP \fIbits\fP -Binary AND the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos -0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.) +Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) .TP \fB\-\-or\-tos\fP \fIbits\fP -Binary OR the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos\fP -\fIbits\fR\fB/\fR\fIbits\fR.) +Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP +\fIbits\fP\fB/\fP\fIbits\fP.) .TP \fB\-\-xor\-tos\fP \fIbits\fP -Binary XOR the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos\fP -\fIbits\fR\fB/0\fR.) +Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP +\fIbits\fP\fB/0\fP.) diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c index d410c52b..cd0b50a6 100644 --- a/extensions/libxt_TPROXY.c +++ b/extensions/libxt_TPROXY.c @@ -15,10 +15,10 @@ #include <linux/netfilter/xt_TPROXY.h> static const struct option tproxy_tg_opts[] = { - { .name = "on-port", .has_arg = 1, .val = '1'}, - { .name = "on-ip", .has_arg = 1, .val = '2'}, - { .name = "tproxy-mark", .has_arg = 1, .val = '3'}, - {NULL}, + {.name = "on-port", .has_arg = true, .val = '1'}, + {.name = "on-ip", .has_arg = true, .val = '2'}, + {.name = "tproxy-mark", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; enum { diff --git a/extensions/libxt_TPROXY.man b/extensions/libxt_TPROXY.man index 0129f845..2f7d82dc 100644 --- a/extensions/libxt_TPROXY.man +++ b/extensions/libxt_TPROXY.man @@ -1,4 +1,4 @@ -This target is only valid in the \fBmangle\fR table, in the \fBPREROUTING\fR +This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP chain and user-defined chains which are only called from this chain. It redirects the packet to a local socket without changing the packet header in any way. It can also change the mark value which can then be used in advanced diff --git a/extensions/libxt_cluster.c b/extensions/libxt_cluster.c index ea5d9fb4..15910455 100644 --- a/extensions/libxt_cluster.c +++ b/extensions/libxt_cluster.c @@ -5,6 +5,7 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -38,11 +39,11 @@ enum { }; static const struct option cluster_opts[] = { - { "cluster-total-nodes", 1, NULL, CLUSTER_OPT_TOTAL_NODES }, - { "cluster-local-node", 1, NULL, CLUSTER_OPT_LOCAL_NODE }, - { "cluster-local-nodemask", 1, NULL, CLUSTER_OPT_NODE_MASK }, - { "cluster-hash-seed", 1, NULL, CLUSTER_OPT_HASH_SEED }, - { .name = NULL } + {.name = "cluster-total-nodes", .has_arg = true, .val = CLUSTER_OPT_TOTAL_NODES}, + {.name = "cluster-local-node", .has_arg = true, .val = CLUSTER_OPT_LOCAL_NODE}, + {.name = "cluster-local-nodemask", .has_arg = true, .val = CLUSTER_OPT_NODE_MASK}, + {.name = "cluster-hash-seed", .has_arg = true, .val = CLUSTER_OPT_HASH_SEED}, + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c index 0068a6e4..a9325a5d 100644 --- a/extensions/libxt_comment.c +++ b/extensions/libxt_comment.c @@ -6,6 +6,7 @@ * 2004-05-12: Brad Fisher <brad@info-link.net> * Port to patch-o-matic-ng */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -22,8 +23,8 @@ static void comment_help(void) } static const struct option comment_opts[] = { - { "comment", 1, NULL, '1' }, - { .name = NULL } + {.name = "comment", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c index 5ebdd340..2e20862d 100644 --- a/extensions/libxt_connbytes.c +++ b/extensions/libxt_connbytes.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add byte tracking support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -18,10 +19,10 @@ static void connbytes_help(void) } static const struct option connbytes_opts[] = { - { "connbytes", 1, NULL, '1' }, - { "connbytes-dir", 1, NULL, '2' }, - { "connbytes-mode", 1, NULL, '3' }, - { .name = NULL } + {.name = "connbytes", .has_arg = true, .val = '1'}, + {.name = "connbytes-dir", .has_arg = true, .val = '2'}, + {.name = "connbytes-mode", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c index a2159158..b01d3012 100644 --- a/extensions/libxt_connlimit.c +++ b/extensions/libxt_connlimit.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add connection limit support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -18,9 +19,9 @@ static void connlimit_help(void) } static const struct option connlimit_opts[] = { - {"connlimit-above", 1, NULL, 'A'}, - {"connlimit-mask", 1, NULL, 'M'}, - { .name = NULL } + {.name = "connlimit-above", .has_arg = true, .val = 'A'}, + {.name = "connlimit-mask", .has_arg = true, .val = 'M'}, + XT_GETOPT_TABLEEND, }; static void connlimit_init(struct xt_entry_match *match) diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man index c85d768c..c0246fdc 100644 --- a/extensions/libxt_connlimit.man +++ b/extensions/libxt_connlimit.man @@ -2,7 +2,7 @@ Allows you to restrict the number of parallel connections to a server per client IP address (or client address block). .TP [\fB!\fP] \fB\-\-connlimit\-above\fP \fIn\fP -Match if the number of existing connections is (not) above \fIn\fR. +Match if the number of existing connections is (not) above \fIn\fP. .TP \fB\-\-connlimit\-mask\fP \fIprefix_length\fP Group hosts using the prefix length. For IPv4, this must be a number between diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c index 38aa5630..6bb26894 100644 --- a/extensions/libxt_connmark.c +++ b/extensions/libxt_connmark.c @@ -19,6 +19,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -46,7 +47,7 @@ static void connmark_mt_help(void) static const struct option connmark_mt_opts[] = { {.name = "mark", .has_arg = true, .val = '1'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_connmark.man b/extensions/libxt_connmark.man index ee87d9ec..4e838013 100644 --- a/extensions/libxt_connmark.man +++ b/extensions/libxt_connmark.man @@ -1,5 +1,5 @@ This module matches the netfilter mark field associated with a connection -(which can be set using the \fBCONNMARK\fR target below). +(which can be set using the \fBCONNMARK\fP target below). .TP [\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] Matches packets in connections with the given mark value (if a mask is diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 5557d3ea..6c4a9cd1 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -88,7 +88,7 @@ static const struct option conntrack_mt_opts_v0[] = { {.name = "ctrepldst", .has_arg = true, .val = '6'}, {.name = "ctstatus", .has_arg = true, .val = '7'}, {.name = "ctexpire", .has_arg = true, .val = '8'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option conntrack_mt_opts[] = { diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man index ec51ef53..d37ed171 100644 --- a/extensions/libxt_conntrack.man +++ b/extensions/libxt_conntrack.man @@ -1,36 +1,36 @@ This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection. .TP -[\fB!\fR] \fB\-\-ctstate\fP \fIstatelist\fP -\fIstatelist\fR is a comma separated list of the connection states to match. +[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP +\fIstatelist\fP is a comma separated list of the connection states to match. Possible states are listed below. .TP -[\fB!\fR] \fB\-\-ctproto\fP \fIl4proto\fP +[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP Layer-4 protocol to match (by number or name) .TP -[\fB!\fR] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] .TP -[\fB!\fR] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] .TP -[\fB!\fR] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] .TP -[\fB!\fR] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] Match against original/reply source/destination address .TP -[\fB!\fR] \fB\-\-ctorigsrcport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP .TP -[\fB!\fR] \fB\-\-ctorigdstport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP .TP -[\fB!\fR] \fB\-\-ctreplsrcport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP .TP -[\fB!\fR] \fB\-\-ctrepldstport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. .TP -[\fB!\fR] \fB\-\-ctstatus\fP \fIstatelist\fP -\fIstatuslist\fR is a comma separated list of the connection statuses to match. +[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP +\fIstatuslist\fP is a comma separated list of the connection statuses to match. Possible statuses are listed below. .TP -[\fB!\fR] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] +[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] Match remaining lifetime in seconds against given value or range of values (inclusive) .TP @@ -40,46 +40,46 @@ specified at all, matches packets in both directions. .PP States for \fB\-\-ctstate\fP: .TP -\fBINVALID\fR +\fBINVALID\fP meaning that the packet is associated with no known connection .TP -\fBNEW\fR +\fBNEW\fP meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and .TP -\fBESTABLISHED\fR +\fBESTABLISHED\fP meaning that the packet is associated with a connection which has seen packets in both directions, .TP -\fBRELATED\fR +\fBRELATED\fP meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .TP -\fBUNTRACKED\fR +\fBUNTRACKED\fP meaning that the packet is not tracked at all, which happens if you use the NOTRACK target in raw table. .TP -\fBSNAT\fR +\fBSNAT\fP A virtual state, matching if the original source address differs from the reply destination. .TP -\fBDNAT\fR +\fBDNAT\fP A virtual state, matching if the original destination differs from the reply source. .PP Statuses for \fB\-\-ctstatus\fP: .TP -\fBNONE\fR +\fBNONE\fP None of the below. .TP -\fBEXPECTED\fR +\fBEXPECTED\fP This is an expected connection (i.e. a conntrack helper set it up) .TP -\fBSEEN_REPLY\fR +\fBSEEN_REPLY\fP Conntrack has seen packets in both directions. .TP -\fBASSURED\fR +\fBASSURED\fP Conntrack entry should never be early-expired. .TP -\fBCONFIRMED\fR +\fBCONFIRMED\fP Connection is confirmed: originating packet has left box. diff --git a/extensions/libxt_cpu.c b/extensions/libxt_cpu.c new file mode 100644 index 00000000..ee029960 --- /dev/null +++ b/extensions/libxt_cpu.c @@ -0,0 +1,99 @@ +/* Shared library add-on to iptables to add CPU match support. */ +#include <stdbool.h> +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter/xt_cpu.h> + +static void cpu_help(void) +{ + printf( +"cpu match options:\n" +"[!] --cpu number Match CPU number\n"); +} + +static const struct option cpu_opts[] = { + {.name = "cpu", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, +}; + +static void +parse_cpu(const char *s, struct xt_cpu_info *info) +{ + unsigned int cpu; + char *end; + + if (!xtables_strtoui(s, &end, &cpu, 0, UINT32_MAX)) + xtables_param_act(XTF_BAD_VALUE, "cpu", "--cpu", s); + + if (*end != '\0') + xtables_param_act(XTF_BAD_VALUE, "cpu", "--cpu", s); + + info->cpu = cpu; +} + +static int +cpu_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_cpu_info *cpuinfo = (struct xt_cpu_info *)(*match)->data; + + switch (c) { + case '1': + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_cpu(optarg, cpuinfo); + if (invert) + cpuinfo->invert = 1; + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +static void cpu_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify `--cpu'"); +} + +static void +cpu_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_cpu_info *info = (void *)match->data; + + printf("cpu %s%u ", info->invert ? "! ":"", info->cpu); +} + +static void cpu_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_cpu_info *info = (void *)match->data; + + printf("%s--cpu %u ", info->invert ? "! ":"", info->cpu); +} + +static struct xtables_match cpu_match = { + .family = NFPROTO_UNSPEC, + .name = "cpu", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_cpu_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_cpu_info)), + .help = cpu_help, + .parse = cpu_parse, + .final_check = cpu_check, + .print = cpu_print, + .save = cpu_save, + .extra_opts = cpu_opts, +}; + +void _init(void) +{ + xtables_register_match(&cpu_match); +} diff --git a/extensions/libxt_cpu.man b/extensions/libxt_cpu.man new file mode 100644 index 00000000..d9ea5c2f --- /dev/null +++ b/extensions/libxt_cpu.man @@ -0,0 +1,15 @@ +.TP +[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP +Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 +Can be used in combination with RPS (Remote Packet Steering) or +multiqueue NICs to spread network traffic on different queues. +.PP +Example: +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 +\-j REDIRECT \-\-to\-port 8080 +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 +\-j REDIRECT \-\-to\-port 8081 +.PP +Available since Linux 2.6.36. diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c index 8d0b13a2..104f46fa 100644 --- a/extensions/libxt_dccp.c +++ b/extensions/libxt_dccp.c @@ -5,6 +5,7 @@ * This program is distributed under the terms of GNU GPL v2, 1991 * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -43,13 +44,13 @@ static void dccp_help(void) } static const struct option dccp_opts[] = { - { .name = "source-port", .has_arg = 1, .val = '1' }, - { .name = "sport", .has_arg = 1, .val = '1' }, - { .name = "destination-port", .has_arg = 1, .val = '2' }, - { .name = "dport", .has_arg = 1, .val = '2' }, - { .name = "dccp-types", .has_arg = 1, .val = '3' }, - { .name = "dccp-option", .has_arg = 1, .val = '4' }, - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, + {.name = "dccp-types", .has_arg = true, .val = '3'}, + {.name = "dccp-option", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c index 1569f7d4..4f81f2f1 100644 --- a/extensions/libxt_dscp.c +++ b/extensions/libxt_dscp.c @@ -12,6 +12,7 @@ * http://www.iana.org/assignments/dscp-registry * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -38,9 +39,9 @@ static void dscp_help(void) } static const struct option dscp_opts[] = { - { "dscp", 1, NULL, 'F' }, - { "dscp-class", 1, NULL, 'G' }, - { .name = NULL } + {.name = "dscp", .has_arg = true, .val = 'F'}, + {.name = "dscp-class", .has_arg = true, .val = 'G'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c index 18218f47..070a6a45 100644 --- a/extensions/libxt_esp.c +++ b/extensions/libxt_esp.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add ESP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -19,8 +20,8 @@ static void esp_help(void) } static const struct option esp_opts[] = { - { "espspi", 1, NULL, '1' }, - { .name = NULL } + {.name = "espspi", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int32_t diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index 7442dfcf..fbf19d2b 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -67,15 +67,15 @@ static void hashlimit_mt_help(void) } static const struct option hashlimit_opts[] = { - { "hashlimit", 1, NULL, '%' }, - { "hashlimit-burst", 1, NULL, '$' }, - { "hashlimit-htable-size", 1, NULL, '&' }, - { "hashlimit-htable-max", 1, NULL, '*' }, - { "hashlimit-htable-gcinterval", 1, NULL, '(' }, - { "hashlimit-htable-expire", 1, NULL, ')' }, - { "hashlimit-mode", 1, NULL, '_' }, - { "hashlimit-name", 1, NULL, '"' }, - { .name = NULL } + {.name = "hashlimit", .has_arg = true, .val = '%'}, + {.name = "hashlimit-burst", .has_arg = true, .val = '$'}, + {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'}, + {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'}, + {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('}, + {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'}, + {.name = "hashlimit-mode", .has_arg = true, .val = '_'}, + {.name = "hashlimit-name", .has_arg = true, .val = '"'}, + XT_GETOPT_TABLEEND, }; static const struct option hashlimit_mt_opts[] = { @@ -91,7 +91,7 @@ static const struct option hashlimit_mt_opts[] = { {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'}, {.name = "hashlimit-mode", .has_arg = true, .val = '_'}, {.name = "hashlimit-name", .has_arg = true, .val = '"'}, - {}, + XT_GETOPT_TABLEEND, }; static diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man index b870f550..e91d0c63 100644 --- a/extensions/libxt_hashlimit.man +++ b/extensions/libxt_hashlimit.man @@ -1,7 +1,7 @@ -\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the -\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables +\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the +\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables rule. Grouping can be done per-hostgroup (source and/or destination address) -and/or per-port. It gives you the ability to express "\fIN\fR packets per time +and/or per-port. It gives you the ability to express "\fIN\fP packets per time quantum per group": .TP matching on source host @@ -17,11 +17,11 @@ A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and \fB\-\-hashlimit\-name\fP are required. .TP \fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] -Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as +Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as a number, with an optional time quantum suffix; the default is 3/hour. .TP \fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] -Match if the rate is above \fIamount\fR/quantum. +Match if the rate is above \fIamount\fP/quantum. .TP \fB\-\-hashlimit\-burst\fP \fIamount\fP Maximum initial number of packets to match: this number gets recharged by one @@ -36,7 +36,7 @@ expensive of doing the hash housekeeping. \fB\-\-hashlimit\-srcmask\fP \fIprefix\fP When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be -subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note +subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying srcip for \-\-hashlimit\-mode, but is technically more expensive. .TP diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c index 35b5f152..e9551bc7 100644 --- a/extensions/libxt_helper.c +++ b/extensions/libxt_helper.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add related packet matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -16,8 +17,8 @@ static void helper_help(void) } static const struct option helper_opts[] = { - { "helper", 1, NULL, '1' }, - { .name = NULL } + {.name = "helper", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c index 55a2f84b..6b511b56 100644 --- a/extensions/libxt_iprange.c +++ b/extensions/libxt_iprange.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add IP range matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -39,7 +40,7 @@ static void iprange_mt_help(void) static const struct option iprange_mt_opts[] = { {.name = "src-range", .has_arg = true, .val = '1'}, {.name = "dst-range", .has_arg = true, .val = '2'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_iprange.man b/extensions/libxt_iprange.man index 9f65de44..9bbaac35 100644 --- a/extensions/libxt_iprange.man +++ b/extensions/libxt_iprange.man @@ -1,7 +1,7 @@ This matches on a given arbitrary range of IP addresses. .TP -[\fB!\fR] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] +[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] Match source IP in the specified range. .TP -[\fB!\fR] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] +[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] Match destination IP in the specified range. diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c new file mode 100644 index 00000000..493d975a --- /dev/null +++ b/extensions/libxt_ipvs.c @@ -0,0 +1,366 @@ +/* + * Shared library add-on to iptables to add IPVS matching. + * + * Detailed doc is in the kernel module source net/netfilter/xt_ipvs.c + * + * Author: Hannes Eder <heder@google.com> + */ +#include <sys/types.h> +#include <assert.h> +#include <ctype.h> +#include <errno.h> +#include <getopt.h> +#include <netdb.h> +#include <stdbool.h> +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <xtables.h> +#include <linux/ip_vs.h> +#include <linux/netfilter/xt_ipvs.h> + +static const struct option ipvs_mt_opts[] = { + { .name = "ipvs", .has_arg = false, .val = '0' }, + { .name = "vproto", .has_arg = true, .val = '1' }, + { .name = "vaddr", .has_arg = true, .val = '2' }, + { .name = "vport", .has_arg = true, .val = '3' }, + { .name = "vdir", .has_arg = true, .val = '4' }, + { .name = "vmethod", .has_arg = true, .val = '5' }, + { .name = "vportctl", .has_arg = true, .val = '6' }, + XT_GETOPT_TABLEEND, +}; + +static void ipvs_mt_help(void) +{ + printf( +"IPVS match options:\n" +"[!] --ipvs packet belongs to an IPVS connection\n" +"\n" +"Any of the following options implies --ipvs (even negated)\n" +"[!] --vproto protocol VIP protocol to match; by number or name,\n" +" e.g. \"tcp\"\n" +"[!] --vaddr address[/mask] VIP address to match\n" +"[!] --vport port VIP port to match; by number or name,\n" +" e.g. \"http\"\n" +" --vdir {ORIGINAL|REPLY} flow direction of packet\n" +"[!] --vmethod {GATE|IPIP|MASQ} IPVS forwarding method used\n" +"[!] --vportctl port VIP port of the controlling connection to\n" +" match, e.g. 21 for FTP\n" + ); +} + +static void ipvs_mt_parse_addr_and_mask(const char *arg, + union nf_inet_addr *address, + union nf_inet_addr *mask, + unsigned int family) +{ + struct in_addr *addr = NULL; + struct in6_addr *addr6 = NULL; + unsigned int naddrs = 0; + + if (family == NFPROTO_IPV4) { + xtables_ipparse_any(arg, &addr, &mask->in, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&address->in, addr, sizeof(*addr)); + } else if (family == NFPROTO_IPV6) { + xtables_ip6parse_any(arg, &addr6, &mask->in6, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&address->in6, addr6, sizeof(*addr6)); + } else { + /* Hu? */ + assert(false); + } +} + +/* Function which parses command options; returns true if it ate an option */ +static int ipvs_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match, + unsigned int family) +{ + struct xt_ipvs_mtinfo *data = (void *)(*match)->data; + char *p = NULL; + u_int8_t op = 0; + + if ('0' <= c && c <= '6') { + static const int ops[] = { + XT_IPVS_IPVS_PROPERTY, + XT_IPVS_PROTO, + XT_IPVS_VADDR, + XT_IPVS_VPORT, + XT_IPVS_DIR, + XT_IPVS_METHOD, + XT_IPVS_VPORTCTL + }; + op = ops[c - '0']; + } else + return 0; + + if (*flags & op & XT_IPVS_ONCE_MASK) + goto multiple_use; + + switch (c) { + case '0': /* --ipvs */ + /* Nothing to do here. */ + break; + + case '1': /* --vproto */ + /* Canonicalize into lower case */ + for (p = optarg; *p != '\0'; ++p) + *p = tolower(*p); + + data->l4proto = xtables_parse_protocol(optarg); + break; + + case '2': /* --vaddr */ + ipvs_mt_parse_addr_and_mask(optarg, &data->vaddr, + &data->vmask, family); + break; + + case '3': /* --vport */ + data->vport = htons(xtables_parse_port(optarg, "tcp")); + break; + + case '4': /* --vdir */ + xtables_param_act(XTF_NO_INVERT, "ipvs", "--vdir", invert); + if (strcasecmp(optarg, "ORIGINAL") == 0) { + data->bitmask |= XT_IPVS_DIR; + data->invert &= ~XT_IPVS_DIR; + } else if (strcasecmp(optarg, "REPLY") == 0) { + data->bitmask |= XT_IPVS_DIR; + data->invert |= XT_IPVS_DIR; + } else { + xtables_param_act(XTF_BAD_VALUE, + "ipvs", "--vdir", optarg); + } + break; + + case '5': /* --vmethod */ + if (strcasecmp(optarg, "GATE") == 0) + data->fwd_method = IP_VS_CONN_F_DROUTE; + else if (strcasecmp(optarg, "IPIP") == 0) + data->fwd_method = IP_VS_CONN_F_TUNNEL; + else if (strcasecmp(optarg, "MASQ") == 0) + data->fwd_method = IP_VS_CONN_F_MASQ; + else + xtables_param_act(XTF_BAD_VALUE, + "ipvs", "--vmethod", optarg); + break; + + case '6': /* --vportctl */ + data->vportctl = htons(xtables_parse_port(optarg, "tcp")); + break; + + default: + /* Hu? How did we come here? */ + assert(false); + return 0; + } + + if (op & XT_IPVS_ONCE_MASK) { + if (data->invert & XT_IPVS_IPVS_PROPERTY) + xtables_error(PARAMETER_PROBLEM, + "! --ipvs cannot be together with" + " other options"); + data->bitmask |= XT_IPVS_IPVS_PROPERTY; + } + + data->bitmask |= op; + if (invert) + data->invert |= op; + *flags |= op; + return 1; + +multiple_use: + xtables_error(PARAMETER_PROBLEM, + "multiple use of the same IPVS option is not allowed"); +} + +static int ipvs_mt4_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return ipvs_mt_parse(c, argv, invert, flags, entry, match, + NFPROTO_IPV4); +} + +static int ipvs_mt6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return ipvs_mt_parse(c, argv, invert, flags, entry, match, + NFPROTO_IPV6); +} + +static void ipvs_mt_check(unsigned int flags) +{ + if (flags == 0) + xtables_error(PARAMETER_PROBLEM, + "IPVS: At least one option is required"); +} + +/* Shamelessly copied from libxt_conntrack.c */ +static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, + const union nf_inet_addr *mask, + unsigned int family, bool numeric) +{ + char buf[BUFSIZ]; + + if (family == NFPROTO_IPV4) { + if (!numeric && addr->ip == 0) { + printf("anywhere "); + return; + } + if (numeric) + strcpy(buf, xtables_ipaddr_to_numeric(&addr->in)); + else + strcpy(buf, xtables_ipaddr_to_anyname(&addr->in)); + strcat(buf, xtables_ipmask_to_numeric(&mask->in)); + printf("%s ", buf); + } else if (family == NFPROTO_IPV6) { + if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && + addr->ip6[2] == 0 && addr->ip6[3] == 0) { + printf("anywhere "); + return; + } + if (numeric) + strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6)); + else + strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6)); + strcat(buf, xtables_ip6mask_to_numeric(&mask->in6)); + printf("%s ", buf); + } +} + +static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, + unsigned int family, bool numeric, const char *prefix) +{ + if (data->bitmask == XT_IPVS_IPVS_PROPERTY) { + if (data->invert & XT_IPVS_IPVS_PROPERTY) + printf("! "); + printf("%sipvs ", prefix); + } + + if (data->bitmask & XT_IPVS_PROTO) { + if (data->invert & XT_IPVS_PROTO) + printf("! "); + printf("%sproto %u ", prefix, data->l4proto); + } + + if (data->bitmask & XT_IPVS_VADDR) { + if (data->invert & XT_IPVS_VADDR) + printf("! "); + + printf("%svaddr ", prefix); + ipvs_mt_dump_addr(&data->vaddr, &data->vmask, family, numeric); + } + + if (data->bitmask & XT_IPVS_VPORT) { + if (data->invert & XT_IPVS_VPORT) + printf("! "); + + printf("%svport %u ", prefix, ntohs(data->vport)); + } + + if (data->bitmask & XT_IPVS_DIR) { + if (data->invert & XT_IPVS_DIR) + printf("%svdir REPLY ", prefix); + else + printf("%svdir ORIGINAL ", prefix); + } + + if (data->bitmask & XT_IPVS_METHOD) { + if (data->invert & XT_IPVS_METHOD) + printf("! "); + + printf("%svmethod ", prefix); + switch (data->fwd_method) { + case IP_VS_CONN_F_DROUTE: + printf("GATE "); + break; + case IP_VS_CONN_F_TUNNEL: + printf("IPIP "); + break; + case IP_VS_CONN_F_MASQ: + printf("MASQ "); + break; + default: + /* Hu? */ + printf("UNKNOWN "); + break; + } + } + + if (data->bitmask & XT_IPVS_VPORTCTL) { + if (data->invert & XT_IPVS_VPORTCTL) + printf("! "); + + printf("%svportctl %u ", prefix, ntohs(data->vportctl)); + } +} + +static void ipvs_mt4_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV4, numeric, ""); +} + +static void ipvs_mt6_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV6, numeric, ""); +} + +static void ipvs_mt4_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV4, true, "--"); +} + +static void ipvs_mt6_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV6, true, "--"); +} + +static struct xtables_match ipvs_matches_reg[] = { + { + .version = XTABLES_VERSION, + .name = "ipvs", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .help = ipvs_mt_help, + .parse = ipvs_mt4_parse, + .final_check = ipvs_mt_check, + .print = ipvs_mt4_print, + .save = ipvs_mt4_save, + .extra_opts = ipvs_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "ipvs", + .revision = 0, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .help = ipvs_mt_help, + .parse = ipvs_mt6_parse, + .final_check = ipvs_mt_check, + .print = ipvs_mt6_print, + .save = ipvs_mt6_save, + .extra_opts = ipvs_mt_opts, + }, +}; + +void _init(void) +{ + xtables_register_matches(ipvs_matches_reg, + ARRAY_SIZE(ipvs_matches_reg)); +} diff --git a/extensions/libxt_ipvs.man b/extensions/libxt_ipvs.man new file mode 100644 index 00000000..db9bc667 --- /dev/null +++ b/extensions/libxt_ipvs.man @@ -0,0 +1,24 @@ +Match IPVS connection properties. +.TP +[\fB!\fP] \fB\-\-ipvs\fP +packet belongs to an IPVS connection +.TP +Any of the following options implies \-\-ipvs (even negated) +.TP +[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP +VIP protocol to match; by number or name, e.g. "tcp" +.TP +[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] +VIP address to match +.TP +[\fB!\fP] \fB\-\-vport\fP \fIport\fP +VIP port to match; by number or name, e.g. "http" +.TP +\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} +flow direction of packet +.TP +[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} +IPVS forwarding method used +.TP +[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP +VIP port of the controlling connection to match, e.g. 21 for FTP diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c index 96e8b6cd..aeba52f9 100644 --- a/extensions/libxt_length.c +++ b/extensions/libxt_length.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add packet length matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -17,8 +18,8 @@ static void length_help(void) } static const struct option length_opts[] = { - { "length", 1, NULL, '1' }, - { .name = NULL } + {.name = "length", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int16_t diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c index c836303c..3f94e216 100644 --- a/extensions/libxt_limit.c +++ b/extensions/libxt_limit.c @@ -3,7 +3,7 @@ * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> * Hervé Eychenne <rv@wallfire.org> */ - +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -29,9 +29,9 @@ XT_LIMIT_BURST); } static const struct option limit_opts[] = { - { "limit", 1, NULL, '%' }, - { "limit-burst", 1, NULL, '$' }, - { .name = NULL } + {.name = "limit", .has_arg = true, .val = '%'}, + {.name = "limit-burst", .has_arg = true, .val = '$'}, + XT_GETOPT_TABLEEND, }; static diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c index 00996a0c..eb074676 100644 --- a/extensions/libxt_mac.c +++ b/extensions/libxt_mac.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add MAC address support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,8 +22,8 @@ static void mac_help(void) } static const struct option mac_opts[] = { - { "mac-source", 1, NULL, '1' }, - { .name = NULL } + {.name = "mac-source", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c index 8013c9a1..a2bc4f89 100644 --- a/extensions/libxt_mark.c +++ b/extensions/libxt_mark.c @@ -27,7 +27,7 @@ static void mark_mt_help(void) static const struct option mark_mt_opts[] = { {.name = "mark", .has_arg = true, .val = '1'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int mark_mt_parse(int c, char **argv, int invert, unsigned int *flags, diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c index e8a0dab5..5b823b62 100644 --- a/extensions/libxt_multiport.c +++ b/extensions/libxt_multiport.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add multiple TCP port support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -44,12 +45,12 @@ static void multiport_help_v1(void) } static const struct option multiport_opts[] = { - { "source-ports", 1, NULL, '1' }, - { "sports", 1, NULL, '1' }, /* synonym */ - { "destination-ports", 1, NULL, '2' }, - { "dports", 1, NULL, '2' }, /* synonym */ - { "ports", 1, NULL, '3' }, - { .name = NULL } + {.name = "source-ports", .has_arg = true, .val = '1'}, + {.name = "sports", .has_arg = true, .val = '1'}, /* synonym */ + {.name = "destination-ports", .has_arg = true, .val = '2'}, + {.name = "dports", .has_arg = true, .val = '2'}, /* synonym */ + {.name = "ports", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static char * diff --git a/extensions/libxt_osf.c b/extensions/libxt_osf.c index 07b86e40..66c23b4d 100644 --- a/extensions/libxt_osf.c +++ b/extensions/libxt_osf.c @@ -20,7 +20,7 @@ /* * xtables interface for OS fingerprint matching module. */ - +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -54,10 +54,10 @@ static void osf_help(void) static const struct option osf_opts[] = { - { .name = "genre", .has_arg = true, .val = '1' }, - { .name = "ttl", .has_arg = true, .val = '2' }, - { .name = "log", .has_arg = true, .val = '3' }, - { .name = NULL } + {.name = "genre", .has_arg = true, .val = '1'}, + {.name = "ttl", .has_arg = true, .val = '2'}, + {.name = "log", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c index b595d972..4015f137 100644 --- a/extensions/libxt_owner.c +++ b/extensions/libxt_owner.c @@ -113,7 +113,7 @@ static const struct option owner_mt_opts_v0[] = { #ifdef IPT_OWNER_COMM {.name = "cmd-owner", .has_arg = true, .val = 'c'}, #endif - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option owner_mt6_opts_v0[] = { @@ -121,14 +121,14 @@ static const struct option owner_mt6_opts_v0[] = { {.name = "gid-owner", .has_arg = true, .val = 'g'}, {.name = "pid-owner", .has_arg = true, .val = 'p'}, {.name = "sid-owner", .has_arg = true, .val = 's'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option owner_mt_opts[] = { {.name = "uid-owner", .has_arg = true, .val = 'u'}, {.name = "gid-owner", .has_arg = true, .val = 'g'}, {.name = "socket-exists", .has_arg = false, .val = 'k'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c index 5382ab60..d92df9e0 100644 --- a/extensions/libxt_physdev.c +++ b/extensions/libxt_physdev.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add bridge port matching support. */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -24,12 +25,12 @@ static void physdev_help(void) } static const struct option physdev_opts[] = { - { "physdev-in", 1, NULL, '1' }, - { "physdev-out", 1, NULL, '2' }, - { "physdev-is-in", 0, NULL, '3' }, - { "physdev-is-out", 0, NULL, '4' }, - { "physdev-is-bridged", 0, NULL, '5' }, - { .name = NULL } + {.name = "physdev-in", .has_arg = true, .val = '1'}, + {.name = "physdev-out", .has_arg = true, .val = '2'}, + {.name = "physdev-is-in", .has_arg = false, .val = '3'}, + {.name = "physdev-is-out", .has_arg = false, .val = '4'}, + {.name = "physdev-is-bridged", .has_arg = false, .val = '5'}, + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c index cd83e730..d4025913 100644 --- a/extensions/libxt_pkttype.c +++ b/extensions/libxt_pkttype.c @@ -4,6 +4,7 @@ * * Michal Ludvig <michal@logix.cz> */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -61,8 +62,8 @@ static void pkttype_help(void) } static const struct option pkttype_opts[] = { - {"pkt-type", 1, NULL, '1'}, - { .name = NULL } + {.name = "pkt-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void parse_pkttype(const char *pkttype, struct xt_pkttype_info *info) diff --git a/extensions/libxt_policy.c b/extensions/libxt_policy.c index a87ddd89..3ddb3ec7 100644 --- a/extensions/libxt_policy.c +++ b/extensions/libxt_policy.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add policy support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -42,53 +43,55 @@ static const struct option policy_opts[] = { { .name = "dir", - .has_arg = 1, + .has_arg = true, .val = '1', }, { .name = "pol", - .has_arg = 1, + .has_arg = true, .val = '2', }, { .name = "strict", + .has_arg = false, .val = '3' }, { .name = "reqid", - .has_arg = 1, + .has_arg = true, .val = '4', }, { .name = "spi", - .has_arg = 1, + .has_arg = true, .val = '5' }, { .name = "tunnel-src", - .has_arg = 1, + .has_arg = true, .val = '6' }, { .name = "tunnel-dst", - .has_arg = 1, + .has_arg = true, .val = '7' }, { .name = "proto", - .has_arg = 1, + .has_arg = true, .val = '8' }, { .name = "mode", - .has_arg = 1, + .has_arg = true, .val = '9' }, { .name = "next", + .has_arg = false, .val = 'a' }, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int parse_direction(char *s) diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c index ac7c686e..cfd975d0 100644 --- a/extensions/libxt_quota.c +++ b/extensions/libxt_quota.c @@ -3,6 +3,7 @@ * * Sam Johnston <samj@samj.net> */ +#include <stdbool.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> @@ -12,8 +13,8 @@ #include <linux/netfilter/xt_quota.h> static const struct option quota_opts[] = { - {"quota", 1, NULL, '1'}, - { .name = NULL } + {.name = "quota", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void quota_help(void) @@ -82,7 +83,7 @@ static struct xtables_match quota_match = { .name = "quota", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof (struct xt_quota_info)), - .userspacesize = offsetof(struct xt_quota_info, quota), + .userspacesize = offsetof(struct xt_quota_info, master), .help = quota_help, .parse = quota_parse, .print = quota_print, diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c index ad0884e7..6aefb5c3 100644 --- a/extensions/libxt_rateest.c +++ b/extensions/libxt_rateest.c @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -40,20 +41,20 @@ enum rateest_options { }; static const struct option rateest_opts[] = { - { "rateest1", 1, NULL, OPT_RATEEST1 }, - { "rateest", 1, NULL, OPT_RATEEST1 }, /* alias for absolute mode */ - { "rateest2", 1, NULL, OPT_RATEEST2 }, - { "rateest-bps1", 0, NULL, OPT_RATEEST_BPS1 }, - { "rateest-pps1", 0, NULL, OPT_RATEEST_PPS1 }, - { "rateest-bps2", 0, NULL, OPT_RATEEST_BPS2 }, - { "rateest-pps2", 0, NULL, OPT_RATEEST_PPS2 }, - { "rateest-bps", 0, NULL, OPT_RATEEST_BPS2 }, /* alias for absolute mode */ - { "rateest-pps", 0, NULL, OPT_RATEEST_PPS2 }, /* alias for absolute mode */ - { "rateest-delta", 0, NULL, OPT_RATEEST_DELTA }, - { "rateest-lt", 0, NULL, OPT_RATEEST_LT }, - { "rateest-gt", 0, NULL, OPT_RATEEST_GT }, - { "rateest-eq", 0, NULL, OPT_RATEEST_EQ }, - { .name = NULL } + {.name = "rateest1", .has_arg = true, .val = OPT_RATEEST1}, + {.name = "rateest", .has_arg = true, .val = OPT_RATEEST1}, /* alias for absolute mode */ + {.name = "rateest2", .has_arg = true, .val = OPT_RATEEST2}, + {.name = "rateest-bps1", .has_arg = false, .val = OPT_RATEEST_BPS1}, + {.name = "rateest-pps1", .has_arg = false, .val = OPT_RATEEST_PPS1}, + {.name = "rateest-bps2", .has_arg = false, .val = OPT_RATEEST_BPS2}, + {.name = "rateest-pps2", .has_arg = false, .val = OPT_RATEEST_PPS2}, + {.name = "rateest-bps", .has_arg = false, .val = OPT_RATEEST_BPS2}, /* alias for absolute mode */ + {.name = "rateest-pps", .has_arg = false, .val = OPT_RATEEST_PPS2}, /* alias for absolute mode */ + {.name = "rateest-delta", .has_arg = false, .val = OPT_RATEEST_DELTA}, + {.name = "rateest-lt", .has_arg = false, .val = OPT_RATEEST_LT}, + {.name = "rateest-gt", .has_arg = false, .val = OPT_RATEEST_GT}, + {.name = "rateest-eq", .has_arg = false, .val = OPT_RATEEST_EQ}, + XT_GETOPT_TABLEEND, }; /* Copied from iproute. See http://physics.nist.gov/cuu/Units/binary.html */ @@ -79,7 +80,7 @@ static const struct rate_suffix { { "GBps", 8000000000. }, { "TiBps", 8.*1024.*1024.*1024.*1024. }, { "TBps", 8000000000000. }, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index ecc17ad4..41faeb61 100644 --- a/extensions/libxt_recent.c +++ b/extensions/libxt_recent.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add recent matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -9,17 +10,17 @@ #include <linux/netfilter/xt_recent.h> static const struct option recent_opts[] = { - { .name = "set", .has_arg = 0, .val = 201 }, - { .name = "rcheck", .has_arg = 0, .val = 202 }, - { .name = "update", .has_arg = 0, .val = 203 }, - { .name = "seconds", .has_arg = 1, .val = 204 }, - { .name = "hitcount", .has_arg = 1, .val = 205 }, - { .name = "remove", .has_arg = 0, .val = 206 }, - { .name = "rttl", .has_arg = 0, .val = 207 }, - { .name = "name", .has_arg = 1, .val = 208 }, - { .name = "rsource", .has_arg = 0, .val = 209 }, - { .name = "rdest", .has_arg = 0, .val = 210 }, - { .name = NULL } + {.name = "set", .has_arg = false, .val = 201}, + {.name = "rcheck", .has_arg = false, .val = 202}, + {.name = "update", .has_arg = false, .val = 203}, + {.name = "seconds", .has_arg = true, .val = 204}, + {.name = "hitcount", .has_arg = true, .val = 205}, + {.name = "remove", .has_arg = false, .val = 206}, + {.name = "rttl", .has_arg = false, .val = 207}, + {.name = "name", .has_arg = true, .val = 208}, + {.name = "rsource", .has_arg = false, .val = 209}, + {.name = "rdest", .has_arg = false, .val = 210}, + XT_GETOPT_TABLEEND, }; static void recent_help(void) diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index 532c3286..0392c2ca 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -10,12 +10,12 @@ mutually exclusive. .TP \fB\-\-name\fP \fIname\fP Specify the list to use for the commands. If no name is given then -\fBDEFAULT\fR will be used. +\fBDEFAULT\fP will be used. .TP -[\fB!\fR] \fB\-\-set\fP +[\fB!\fP] \fB\-\-set\fP This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry. This will -always return success (or failure if \fB!\fR is passed in). +always return success (or failure if \fB!\fP is passed in). .TP \fB\-\-rsource\fP Match/save the source address of each packet in the recent list table. This @@ -24,14 +24,14 @@ is the default. \fB\-\-rdest\fP Match/save the destination address of each packet in the recent list table. .TP -[\fB!\fR] \fB\-\-rcheck\fP +[\fB!\fP] \fB\-\-rcheck\fP Check if the source address of the packet is currently in the list. .TP -[\fB!\fR] \fB\-\-update\fP +[\fB!\fP] \fB\-\-update\fP Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it matches. .TP -[\fB!\fR] \fB\-\-remove\fP +[\fB!\fP] \fB\-\-remove\fP Check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned. @@ -68,37 +68,37 @@ iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \ Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage. .PP -\fB/proc/net/xt_recent/*\fR are the current lists of addresses and information +\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information about each entry of each list. .PP -Each file in \fB/proc/net/xt_recent/\fR can be read from to see the current +Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current list or written two using the following commands to modify the list: .TP -\fBecho +\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR -to add \fIaddr\fR to the DEFAULT list +\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP +to add \fIaddr\fP to the DEFAULT list .TP \fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP -to remove \fIaddr\fR from the DEFAULT list +to remove \fIaddr\fP from the DEFAULT list .TP -\fBecho / >/proc/net/xt_recent/DEFAULT\fR +\fBecho / >/proc/net/xt_recent/DEFAULT\fP to flush the DEFAULT list (remove all entries). .PP The module itself accepts parameters, defaults shown: .TP -\fBip_list_tot\fR=\fI100\fR +\fBip_list_tot\fP=\fI100\fP Number of addresses remembered per table. .TP -\fBip_pkt_list_tot\fR=\fI20\fR +\fBip_pkt_list_tot\fP=\fI20\fP Number of packets per address remembered. .TP -\fBip_list_hash_size\fR=\fI0\fR +\fBip_list_hash_size\fP=\fI0\fP Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. .TP -\fBip_list_perms\fR=\fI0644\fR +\fBip_list_perms\fP=\fI0644\fP Permissions for /proc/net/xt_recent/* files. .TP -\fBip_list_uid\fR=\fI0\fR +\fBip_list_uid\fP=\fI0\fP Numerical UID for ownership of /proc/net/xt_recent/* files. .TP -\fBip_list_gid\fR=\fI0\fR +\fBip_list_gid\fP=\fI0\fP Numerical GID for ownership of /proc/net/xt_recent/* files. diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c index d321fb8a..80406f76 100644 --- a/extensions/libxt_sctp.c +++ b/extensions/libxt_sctp.c @@ -7,6 +7,7 @@ * libipt_ecn.c borrowed heavily from libipt_dscp.c * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -55,12 +56,12 @@ static void sctp_help(void) } static const struct option sctp_opts[] = { - { .name = "source-port", .has_arg = 1, .val = '1' }, - { .name = "sport", .has_arg = 1, .val = '1' }, - { .name = "destination-port", .has_arg = 1, .val = '2' }, - { .name = "dport", .has_arg = 1, .val = '2' }, - { .name = "chunk-types", .has_arg = 1, .val = '3' }, - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, + {.name = "chunk-types", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c index 75fa3c27..594e2d4f 100644 --- a/extensions/libxt_set.c +++ b/extensions/libxt_set.c @@ -9,6 +9,7 @@ */ /* Shared library add-on to iptables to add IP set matching. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -32,9 +33,9 @@ set_help(void) } static const struct option set_opts[] = { - { .name = "match-set", .has_arg = true, .val = '1'}, - { .name = "set", .has_arg = true, .val = '2'}, - { .name = NULL } + {.name = "match-set", .has_arg = true, .val = '1'}, + {.name = "set", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_set.man b/extensions/libxt_set.man index aca1bfce..01b115f0 100644 --- a/extensions/libxt_set.man +++ b/extensions/libxt_set.man @@ -15,7 +15,7 @@ the set type of the specified set is single dimension (for example ipmap), then the command will match packets for which the source address can be found in the specified set. .PP -The option \fB\-\-match\-set\fR can be replaced by \fB\-\-set\fR if that does +The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does not clash with an option of other extensions. .PP Use of -m set requires that ipset kernel support is provided. As standard diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c index d8159e57..40643335 100644 --- a/extensions/libxt_state.c +++ b/extensions/libxt_state.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add state tracking support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -22,8 +23,8 @@ state_help(void) } static const struct option state_opts[] = { - { "state", 1, NULL, '1' }, - { .name = NULL } + {.name = "state", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c index 913aa2c7..94f29134 100644 --- a/extensions/libxt_statistic.c +++ b/extensions/libxt_statistic.c @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,11 +22,11 @@ static void statistic_help(void) } static const struct option statistic_opts[] = { - { "mode", 1, NULL, '1' }, - { "probability", 1, NULL, '2' }, - { "every", 1, NULL, '3' }, - { "packet", 1, NULL, '4' }, - { .name = NULL } + {.name = "mode", .has_arg = true, .val = '1'}, + {.name = "probability", .has_arg = true, .val = '2'}, + {.name = "every", .has_arg = true, .val = '3'}, + {.name = "packet", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static struct xt_statistic_info *global_info; diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c index df6302e8..a6c58813 100644 --- a/extensions/libxt_string.c +++ b/extensions/libxt_string.c @@ -21,6 +21,7 @@ * ipt_string_info. */ #define _GNU_SOURCE 1 +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -44,13 +45,13 @@ static void string_help(void) } static const struct option string_opts[] = { - { "from", 1, NULL, '1' }, - { "to", 1, NULL, '2' }, - { "algo", 1, NULL, '3' }, - { "string", 1, NULL, '4' }, - { "hex-string", 1, NULL, '5' }, - { "icase", 0, NULL, '6' }, - { .name = NULL } + {.name = "from", .has_arg = true, .val = '1'}, + {.name = "to", .has_arg = true, .val = '2'}, + {.name = "algo", .has_arg = true, .val = '3'}, + {.name = "string", .has_arg = true, .val = '4'}, + {.name = "hex-string", .has_arg = true, .val = '5'}, + {.name = "icase", .has_arg = false, .val = '6'}, + XT_GETOPT_TABLEEND, }; static void string_init(struct xt_entry_match *m) diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index 75551d79..26e533c0 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add TCP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -26,14 +27,14 @@ static void tcp_help(void) } static const struct option tcp_opts[] = { - { "source-port", 1, NULL, '1' }, - { "sport", 1, NULL, '1' }, /* synonym */ - { "destination-port", 1, NULL, '2' }, - { "dport", 1, NULL, '2' }, /* synonym */ - { "syn", 0, NULL, '3' }, - { "tcp-flags", 1, NULL, '4' }, - { "tcp-option", 1, NULL, '5' }, - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, /* synonym */ + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, /* synonym */ + {.name = "syn", .has_arg = false, .val = '3'}, + {.name = "tcp-flags", .has_arg = true, .val = '4'}, + {.name = "tcp-option", .has_arg = true, .val = '5'}, + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c index b54a890e..110c60da 100644 --- a/extensions/libxt_tcpmss.c +++ b/extensions/libxt_tcpmss.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add tcp MSS matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -17,8 +18,8 @@ static void tcpmss_help(void) } static const struct option tcpmss_opts[] = { - { "mss", 1, NULL, '1' }, - { .name = NULL } + {.name = "mss", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int16_t diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c index 098fc9c9..9f12266b 100644 --- a/extensions/libxt_time.c +++ b/extensions/libxt_time.c @@ -38,15 +38,15 @@ static const char *const week_days[] = { }; static const struct option time_opts[] = { - {"datestart", true, NULL, 'D'}, - {"datestop", true, NULL, 'E'}, - {"timestart", true, NULL, 'X'}, - {"timestop", true, NULL, 'Y'}, - {"weekdays", true, NULL, 'w'}, - {"monthdays", true, NULL, 'm'}, - {"localtz", false, NULL, 'l'}, - {"utc", false, NULL, 'u'}, - { .name = NULL } + {.name = "datestart", .has_arg = true, .val = 'D'}, + {.name = "datestop", .has_arg = true, .val = 'E'}, + {.name = "timestart", .has_arg = true, .val = 'X'}, + {.name = "timestop", .has_arg = true, .val = 'Y'}, + {.name = "weekdays", .has_arg = true, .val = 'w'}, + {.name = "monthdays", .has_arg = true, .val = 'm'}, + {.name = "localtz", .has_arg = false, .val = 'l'}, + {.name = "utc", .has_arg = false, .val = 'u'}, + XT_GETOPT_TABLEEND, }; static void time_help(void) diff --git a/extensions/libxt_time.man b/extensions/libxt_time.man index 83625a2f..2bceaf66 100644 --- a/extensions/libxt_time.man +++ b/extensions/libxt_time.man @@ -19,19 +19,19 @@ Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. .TP -[\fB!\fR] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] +[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] .IP -Only match on the given days of the month. Possible values are \fB1\fR -to \fB31\fR. Note that specifying \fB31\fR will of course not match +Only match on the given days of the month. Possible values are \fB1\fP +to \fB31\fP. Note that specifying \fB31\fP will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February. .TP -[\fB!\fR] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] +[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] .IP -Only match on the given weekdays. Possible values are \fBMon\fR, \fBTue\fR, -\fBWed\fR, \fBThu\fR, \fBFri\fR, \fBSat\fR, \fBSun\fR, or values from \fB1\fR -to \fB7\fR, respectively. You may also use two-character variants (\fBMo\fP, -\fBTu\fR, etc.). +Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP, +\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP +to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP, +\fBTu\fP, etc.). .TP \fB\-\-utc\fP .IP diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c index 6b8cd89f..f78594ac 100644 --- a/extensions/libxt_tos.c +++ b/extensions/libxt_tos.c @@ -26,7 +26,7 @@ enum { static const struct option tos_mt_opts[] = { {.name = "tos", .has_arg = true, .val = 't'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void tos_mt_help(void) diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c index 9a61c8a5..67e60683 100644 --- a/extensions/libxt_u32.c +++ b/extensions/libxt_u32.c @@ -15,6 +15,7 @@ #include <errno.h> #include <getopt.h> #include <netdb.h> +#include <stdbool.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -23,8 +24,8 @@ #include <linux/netfilter/xt_u32.h> static const struct option u32_opts[] = { - {"u32", 1, NULL, 'u'}, - { .name = NULL } + {.name = "u32", .has_arg = true, .val = 'u'}, + XT_GETOPT_TABLEEND, }; static void u32_help(void) diff --git a/extensions/libxt_u32.man b/extensions/libxt_u32.man index 2ffab305..7c8615d3 100644 --- a/extensions/libxt_u32.man +++ b/extensions/libxt_u32.man @@ -11,22 +11,22 @@ value := range | value "," range .IP range := number | number ":" number .PP -a single number, \fIn\fR, is interpreted the same as \fIn:n\fR. \fIn:m\fR is -interpreted as the range of numbers \fB>=n\fR and \fB<=m\fR. +a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is +interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP. .IP "" 4 location := number | location operator number .IP "" 4 operator := "&" | "<<" | ">>" | "@" .PP -The operators \fB&\fR, \fB<<\fR, \fB>>\fR and \fB&&\fR mean the same as in C. -The \fB=\fR is really a set membership operator and the value syntax describes -a set. The \fB@\fR operator is what allows moving to the next header and is +The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C. +The \fB=\fP is really a set membership operator and the value syntax describes +a set. The \fB@\fP operator is what allows moving to the next header and is described further below. .PP There are currently some artificial implementation limits on the size of the tests: .IP " *" -no more than 10 of "\fB=\fR" (and 9 "\fB&&\fR"s) in the u32 argument +no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument .IP " *" no more than 10 ranges (and 9 commas) per value .IP " *" @@ -35,7 +35,7 @@ no more than 10 numbers (and 9 operators) per location To describe the meaning of location, imagine the following machine that interprets it. There are three registers: .IP -A is of type \fBchar *\fR, initially the address of the IP header +A is of type \fBchar *\fP, initially the address of the IP header .IP B and C are unsigned 32 bit integers, initially zero .PP @@ -81,28 +81,28 @@ First test that it is an ICMP packet, true iff byte 9 (protocol) = 1 .IP \-\-u32 "\fB6 & 0xFF = 1 &&\fP ... .IP -read bytes 6-9, use \fB&\fR to throw away bytes 6-8 and compare the result to +read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to 1. Next test that it is not a fragment. (If so, it might be part of such a packet but we cannot always tell.) N.B.: This test is generally needed if you want to match anything beyond the IP header. The last 6 bits of byte 6 and all of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively, you can allow first fragments by only testing the last 5 bits of byte 6. .IP - ... \fB4 & 0x3FFF = 0 &&\fR ... + ... \fB4 & 0x3FFF = 0 &&\fP ... .IP Last test: the first byte past the IP header (the type) is 0. This is where we have to use the @syntax. The length of the IP header (IHL) in 32 bit words is stored in the right half of byte 0 of the IP header itself. .IP - ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fR" + ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP" .IP -The first 0 means read bytes 0-3, \fB>>22\fR means shift that 22 bits to the +The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the right. Shifting 24 bits would give the first byte, so only 22 bits is four -times that plus a few more bits. \fB&3C\fR then eliminates the two extra bits +times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits on the right and the first four bits of the first byte. For instance, if IHL=5, then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in -binary) xxxx0101 yyzzzzzz, \fB>>22\fR gives the 10 bit value xxxx0101yy and -\fB&3C\fR gives 010100. \fB@\fR means to use this number as a new offset into +binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and +\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into the packet, and read four bytes starting from there. This is the first 4 bytes of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply shift the value 24 to the right to throw out all but the first byte and compare @@ -118,12 +118,12 @@ First we test that the packet is a tcp packet (similar to ICMP). .IP Next, test that it is not a fragment (same as above). .IP - ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fR" + ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP" .IP -\fB0>>22&3C\fR as above computes the number of bytes in the IP header. \fB@\fR +\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP makes this the new offset into the packet, which is the start of the TCP header. The length of the TCP header (again in 32 bit words) is the left half -of byte 12 of the TCP header. The \fB12>>26&3C\fR computes this length in bytes +of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes (similar to the IP header before). "@" makes this the new offset, which is the start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and -\fB=\fR checks whether the result is any of 1, 2, 5 or 8. +\fB=\fP checks whether the result is any of 1, 2, 5 or 8. diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c index 135e7af7..3006c04e 100644 --- a/extensions/libxt_udp.c +++ b/extensions/libxt_udp.c @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add UDP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,11 +22,11 @@ static void udp_help(void) } static const struct option udp_opts[] = { - { "source-port", 1, NULL, '1' }, - { "sport", 1, NULL, '1' }, /* synonym */ - { "destination-port", 1, NULL, '2' }, - { "dport", 1, NULL, '2' }, /* synonym */ - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, /* synonym */ + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, /* synonym */ + XT_GETOPT_TABLEEND, }; static void diff --git a/extensions/tos_values.c b/extensions/tos_values.c index e8f1563c..10add198 100644 --- a/extensions/tos_values.c +++ b/extensions/tos_values.c @@ -20,7 +20,7 @@ static const struct tos_symbol_info { {IPTOS_RELIABILITY, "Maximize-Reliability"}, {IPTOS_MINCOST, "Minimize-Cost"}, {IPTOS_NORMALSVC, "Normal-Service"}, - { .name = NULL } + {}, }; /* diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h new file mode 100644 index 00000000..3b4fb77a --- /dev/null +++ b/include/linux/netfilter/xt_CHECKSUM.h @@ -0,0 +1,18 @@ +/* Header file for iptables ipt_CHECKSUM target + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2010 Red Hat Inc + * Author: Michael S. Tsirkin <mst@redhat.com> + * + * This software is distributed under GNU GPL v2, 1991 +*/ +#ifndef _IPT_CHECKSUM_TARGET_H +#define _IPT_CHECKSUM_TARGET_H + +#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ + +struct xt_CHECKSUM_info { + __u8 operation; /* bitset of operations */ +}; + +#endif /* _IPT_CHECKSUM_TARGET_H */ diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/linux/netfilter/xt_IDLETIMER.h new file mode 100644 index 00000000..3e1aa1be --- /dev/null +++ b/include/linux/netfilter/xt_IDLETIMER.h @@ -0,0 +1,45 @@ +/* + * linux/include/linux/netfilter/xt_IDLETIMER.h + * + * Header file for Xtables timer target module. + * + * Copyright (C) 2004, 2010 Nokia Corporation + * Written by Timo Teras <ext-timo.teras@nokia.com> + * + * Converted to x_tables and forward-ported to 2.6.34 + * by Luciano Coelho <luciano.coelho@nokia.com> + * + * Contact: Luciano Coelho <luciano.coelho@nokia.com> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#ifndef _XT_IDLETIMER_H +#define _XT_IDLETIMER_H + +#include <linux/types.h> + +#define MAX_IDLETIMER_LABEL_SIZE 28 + +struct idletimer_tg_info { + __u32 timeout; + + char label[MAX_IDLETIMER_LABEL_SIZE]; + + /* for kernel module internal use only */ + struct idletimer_tg *timer __attribute((aligned(8))); +}; + +#endif diff --git a/include/linux/netfilter/xt_cpu.h b/include/linux/netfilter/xt_cpu.h new file mode 100644 index 00000000..93c7f11d --- /dev/null +++ b/include/linux/netfilter/xt_cpu.h @@ -0,0 +1,11 @@ +#ifndef _XT_CPU_H +#define _XT_CPU_H + +#include <linux/types.h> + +struct xt_cpu_info { + __u32 cpu; + __u32 invert; +}; + +#endif /*_XT_CPU_H*/ diff --git a/include/linux/netfilter/xt_ipvs.h b/include/linux/netfilter/xt_ipvs.h new file mode 100644 index 00000000..1167aeb7 --- /dev/null +++ b/include/linux/netfilter/xt_ipvs.h @@ -0,0 +1,27 @@ +#ifndef _XT_IPVS_H +#define _XT_IPVS_H + +enum { + XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */ + XT_IPVS_PROTO = 1 << 1, + XT_IPVS_VADDR = 1 << 2, + XT_IPVS_VPORT = 1 << 3, + XT_IPVS_DIR = 1 << 4, + XT_IPVS_METHOD = 1 << 5, + XT_IPVS_VPORTCTL = 1 << 6, + XT_IPVS_MASK = (1 << 7) - 1, + XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY +}; + +struct xt_ipvs_mtinfo { + union nf_inet_addr vaddr, vmask; + __be16 vport; + __u8 l4proto; + __u8 fwd_method; + __be16 vportctl; + + __u8 invert; + __u8 bitmask; +}; + +#endif /* _XT_IPVS_H */ diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h index 8dc89dfc..b0d28c65 100644 --- a/include/linux/netfilter/xt_quota.h +++ b/include/linux/netfilter/xt_quota.h @@ -11,9 +11,9 @@ struct xt_quota_priv; struct xt_quota_info { u_int32_t flags; u_int32_t pad; + aligned_u64 quota; /* Used internally by the kernel */ - aligned_u64 quota; struct xt_quota_priv *master; }; diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h index 90fa6525..dcdbadf9 100644 --- a/include/linux/netfilter_ipv4/ipt_LOG.h +++ b/include/linux/netfilter_ipv4/ipt_LOG.h @@ -7,7 +7,8 @@ #define IPT_LOG_IPOPT 0x04 /* Log IP options */ #define IPT_LOG_UID 0x08 /* Log UID owning local socket */ #define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ -#define IPT_LOG_MASK 0x1f +#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IPT_LOG_MASK 0x2f struct ipt_log_info { unsigned char level; diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h index 0d0119b0..9dd5579e 100644 --- a/include/linux/netfilter_ipv6/ip6t_LOG.h +++ b/include/linux/netfilter_ipv6/ip6t_LOG.h @@ -7,7 +7,8 @@ #define IP6T_LOG_IPOPT 0x04 /* Log IP options */ #define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ #define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ -#define IP6T_LOG_MASK 0x1f +#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IP6T_LOG_MASK 0x2f struct ip6t_log_info { unsigned char level; diff --git a/include/xtables.h.in b/include/xtables.h.in index 2d7df322..9e47c2d2 100644 --- a/include/xtables.h.in +++ b/include/xtables.h.in @@ -199,6 +199,8 @@ struct xtables_globals void (*exit_err)(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); }; +#define XT_GETOPT_TABLEEND {NULL} + #ifdef __cplusplus extern "C" { #endif |